Using Debian Linux Packages
"Packages" are software. A package can be a workstation-type program (mozilla Web browser, gimp graphics editor, etc.), a server-type program (Apache Web server, Sendmail e-mail server, etc.), a utility (apcupsd for APC UPSs, taper backup utility), programming libraries, or OS components (GUIs, language modules, even kernel patches). You can download and install software which isn't "packaged". It's just that when software is put into a package it makes it easier to install because programs are already compiled (binary), directories are created if necessary, and all files (binary executables, text configuration files, man pages, etc.) are put into the proper directories. Some packages even have configuration scripts that are run near the end of the package installation to help you initially configure the software.
A "package manager" is used to search for, install, remove, etc. packages. Red Hat's package manager uses .rpm files. Debian's package manager uses .deb files. As you will see below, a package manager isn't always a single program but several utilities used to perform the various package-related functions (search, install, etc).
Working with packages in Debian uses three main utilities:Note: The software in one package may need software from another package to work properly. One of the best things about Debian's package architecture is "automatic dependency resolution", i.e it will automatically load any packages that selected packages may depend on. It may also remove other packages that could cause conflicts. This is why the number of installed packages may be greater than the number of packages you select to install.
If you've ever tried installing packages using Red Hat Package Manager (RPM) you've likely found it a frustrating experience due to the "failed dependencies" errors commonly encountered when trying to install an RPM package. This is because Red Hat's package manager doesn't automatically take care of dependencies like Debian's package manager does.
- apt - Advanced Package Tool - the main package manager on Debian systems used for retrieving/installing, removing, or searching for packages
- dpkg - kind of the predecessor to apt, but is still used for some functions
- dselect - a menu driven front-end that uses both apt and dpkg
You may recall being prompted to insert all the discs during the installation so that they could be scanned for available packages. This scan process builds a library of available (on the discs) packages which is used by these package utilities. When you install or remove a package this library is referenced and updated.
A complete list of the current "stable" Debian packages (including free and non-free) can be found at:
apt and dpkg are useful if you have some idea of what you're looking for. For example, apt has a search utility where you can search for software by its given name such as 'apache' or you can search for all available packages containing software offering specific functionality such as 'sniffer', 'dns', etc.
Because Debian comes with so many packages, it's often a good idea to just browse through all of the available packages to see what software you can install and play around with. To get a full listing of packages and their installation status we use dselect. As mentioned, dselect is more of a front-end, user interface tool because when you select a menu item in dselect you are simply running one of the apt or dpkg utilities with a specific set of command-line switches.
Although useful for browsing all available packages, dselect will not be your primary package management tool. You can search for, and install, packages much faster using the apt utilities. However, we wanted to show you how to use dselect because half the fun of playing around with Debian is playing around with some of the tens of thousands of packages that comes with it.
dselect has a 7-step menu (numbered 0 through 6) and it will walk you through the steps. There are two different "modes" that you can use when retreiving packages. One is "Access" mode where additional .deb files are retreived and added to your library. "Update" mode is where no new packages are retreived but any updates to existing packages (newer versions of whats already in your library) are etreived. dselect doesn't get installed automatically in later versions so make sure it's installed with the command:
apt-get install dselect
If the version of Debian you're using installed it automatically you'll see a message saying it's already installed.
To use dselect:
Type in dselect at the shell prompt and the menu screen will be displayed. The possible selections are:
- 0. Access - highlighting this and pressing Enter will allow you to select apt as the method for accessing the packages. When you select apt and press Enter it will display your current sources.list file and ask you if you want to over-write it. "No" is the default so just press Enter again.
- 1. Update - ALWAYS run this selection every time you run dselect. dselect maintains its own separate library of packages so run this to have it read (sync up with) the apt library.
- 2. Select - pressing Enter with this selection highlighted will display a help screen. Press q to clear it. This is the main guts of the program. It's displaying the package library database. It can look very confusing the first time you use it but it's really not all that bad.
Notice on the second line from the top of the screen you'll see EIOM on the left. They stand for
Error Installed OldMark NewMark
Currently "Installed packages" are listed first with three asterisks (***) in front of them which indicate:
- the first blank space (Error column) is good
- the first * in the second (Installed state) indicates that it is installed
- the next * in the third (OldMark) column means it was requested for install
- the third * in the fourth column means that it's OK to upgrade this package
With all of the already-installed packages you'll have to hold down the down-arrow key for quite awhile to get to "Available packages" section where, instead of seeing asterisks you'll have underscore "marks" like this:
(Note that this is two underscores in columns 3 and 4 - OldMark and NewMark columns.) On the left end of this line there is actually two blank spaces (in columns 1 and 2) before the two __ underscore characters.
- the first blank (Error) column is good
- the second blank (Installed State) column indicates it's not installed
- the _ in the third (OldMark) column indicates that the package is not installed
- the _ in the fourth (NewMark) column indicates that nothing has changed in the selection status of the package
Note that the first time you look at this list the third (OldMark) column may have an n in it. This indicates it's a New package because you just ran the Update step. The next time you view the list it will be an underscore character.
If you would like to see a more explanatory presentation of this information, simply press the v key repeatedly to toggle the Verbose display mode on and off. In addition, you can press the ? key at any time to bring up the help menu. In the help menu, pressing the l (lower-case L) key will display a screen explaining all of the code letters. Press q to get out of help.
If you look at the highlight bar in the middle of the screen it will also give you some of this information. A description of the highlighted package is displayed below the highlight bar.
Note: If you ever get into a Select screen and you can't figure out how to get out, just press an upper-case X to get back to the 7-step menu page.
Packages are grouped into categories such as 'devel', 'net', 'utils', and 'web' with 'admin' being the top category because the groups are listed alphabetically. The packages within each of these groups are listed alphabetically also. Packages that are installed are grouped at the top of the listing and thousands of uninstalled packages are listed afterwards.
Use your down-arrow key to go past the installed packages (asterisks in the left columns). When you get to uninstalled packages (underscores in the left columns) go down into the Opt admin section until the uninstalled cpuid pacakge is highlighted:
__ Opt admin cpuid
Looking at the cpuid line, a blank in the first "Error" column is a good thing. A blank in the second "Installed" column indicates it's not installed. An underscore in the third (OldMark) column means the package has not been installed and the underscore in the fourth (NewMark) columns means nothing has changed (selection-wise) for this package.
With the cpuid line highlighted, press the + key to select it for installation and the indicator in column 4 will change to an asterisk. Press Enter to go back to the main menu and the next menu selection (Install) will be highlighted.
- 3. Install - is where the packages are actually transferred from the DVDs onto the hard-drive. It will already be highlighted so just press Enter and you'll be presented with the packages to install (if any dependent packages were required they'd be listed also). With 'Y' as the default just press Enter to continue and you'll be asked to insert the Debian DVD #3 and press Enter again. Once it's finished you can answer accept the default 'Y' to remove .deb files.
- 4. Config - is next. This is where any installed packages requiring additional configuration are taken care of. There won't be any in this case so you can just go to the next step.
- 5. Remove - will remove any unnecessary files or software they may cause conflicts with the newly installed packages. The dpkg command takes care of this for you so you'll just be returned to the menu.
Before selecting the "Quit" option, go back up to the "Select" option and press Enter to see how the flags for the cpuid have changed. The cpuid line we looked at earlier is further up (in the installed packages group) this time so if you arrow down to find it you'll see
*** Opt admin cpuid
Again, using the "l" (lower-case L) option on the help (?) menu will tell you all this.
- 6. Quit - will exit you out of dselect.
Try out the software you just installed. Back at the shell prompt, type in:
cpuid | more
to display information, including register contents, about the CPU chip in your system. The | more part of the command just pauses the displayed output of the command at each 25 lines with --More-- at the bottom of the screen. Press the Space Bar to see the next screen.
dselect showed you what packages were installed on your system during the install routine but there's another way. You can use the command:
dpkg -l | more
That's a lower-case L for "list" and rather than grouping the installed packages in functional areas it lists them alphabetically. apt and dpkg have a lot of command-line options and viewing the man pages for them will provide you with more information.
Using the apt Utilities
The apt utilities (there are several such as apt-get, apt-cache, etc.) can retreive packages from DVDs or the Internet via http or ftp. You can update your entire system via an Internet connection which is why it's beneficial for your system to have some means of accessing the Internet. This is especially true for Internet server systems as you will want to regularly apply security updates (we'll show you how to do this later in this page).
apt uses the /etc/apt/sources.list file which lists the locations of package files (we'll be modifying this file later in this page). These locations include the DVDs you inventoried (scanned) during the installation routine and also has entries for various Internet servers from which you can retreive updates. The lines in the sources.list file for these Internet servers are commented out by default in case you don't have an Internet connection.
The apt utilities are command line utilities and installing a package is very easy provided you know the exact package name. Most of the time you don't. But there is an apt utility that will help with that too.
WU-FTP is one of the most widely-used FTP server applications. Lets say you want to set your system up as an FTP server using WU-FTP. How do you find out if it's included in one of the package files, and if so, what the package name is? You can use the apt-cache command with the search option like so:
apt-cache search vsftp
Note that this will display any package that has the word "vsftp" anywhere, including in a package's description (without them being a part of the package name).
When the listing is complete the shell prompt will reappear and in the list you'll see
vsftpd - lightweight, efficient FTP server written for security
which is probably the program we want. (The 'd' at the end of the package names stands for daemon.) We can get more information about this package with the command:
apt-cache show vsftpd | more
Now that we know that this is the program we're looking for and we know the name of the package, we can use a simple apt command to install it. apt will automatically install any dependency packages also. To install it just type in:
apt-get install vsftpd
to start the package installation. You will be prompted to insert DVDs #1 and #2. Don't be concerned about ssl-cert, etc. errors at this point.
Your system is now an FTP server! Because this installed the FTP server daemon, it'll start automatically every time you boot your system.
If your Debian server is on a network (and provided you can ping other systems on the network) it's easy to check out. Just go to another system (Linux or Windows) on the same network and at a command prompt enter (assuming the IP address of your Debian system is 192.168.10.10):
You'll be prompted for a username. You can't FTP using the root account. That's because with the FTP protocol everything, including the username and password you enter, is sent over the wire as clear text. Enter the username and password of the account you set up during the Debian installation and you'll see a message that the user is logged in. (You'll also see some info pop up on your Debian PC's screen indicating someone logged in.) By default, vsftpd drops you into the home directory of the user you logged in as. For now just type in quit to close the FTP session.
So what if you don't really want your system to be an FTP server? The command:
apt-get remove vsftpd
would remove the program files from your system, but it would leave the configuration files. In order to remove everything associated with it you need to use the command
apt-get --purge autoremove vsftpd
You'll want to keep vsftpd installed however, so we can transfer files to and from your server. If you are going to set up a system as an Internet server that does offer FTP services, be sure to use the
/etc/vsftpd.conffile to increase the security of your FTP services.
Note: The apt-get command has a lot of options for checking packages, resolving dependencies, etc. that we don't cover here. It would be worth your while to check out the man page or Web references to learn more about all this command can do.
Patching Your System
Debian's package system makes it real easy to keep your system up-to-date. Once you get your system connected to the Internet (see the Networking page), you can apply security patches to your system using that Internet connection. We'll show you how to automate the security patching process later in this page.
The first thing you should do is check the sources.list file that apt uses to determine from where it should pull packages. Newer versions of Debian have the repository of security patches enabled by default but it's a good idea to check and make sure.
Open the sources.list file in the nano text editor with the command:As mentioned on the Installation page, many organizations don't allow their servers to be Internet-accessible for security reasons. If this is the case with your server, you have no choice but to do point-release updates using discs and should not follow this procedure.
You'll see a line like the following for each DVD in your set:
deb cdrom:[name of dvd-rom]
Look for the following line further down in the file:
deb http://security.debian.org/ stable/updates main
If there's a # character in front of this line remove it to un-comment the line. However, don't un-comment any other lines. Then exit the editor (by pressing Ctrl-X and then, if you had to un-comment that line, press 'y' and then Enter) saving the change to the file.
Once you're able to connect to the Internet use the following procedure to update your system:
You can apply the security patches to your system with the following command:
apt-get upgrade -u
The -u in the above command just makes the process a little more verbose, displaying package names as they're downloaded and installed.
Note: The above procedure only updates applications that were installed as a Debian package. If you installed applications that were not in Debian packages (such as when you download the source code files from a Web site and compile/install it yourself), it will have to be updated separately.
Automating Security Patching
Automatically applying security patches will help ensure you're protected against the latest worms and exploits. Automating the process of retreiving and applying security patches is not hard at all. The cron memory-resident scheduler is loaded by default when the system boots so it's just sitting there waiting for you to use it. Automating a process involves two steps; giving cron something to run (i.e. creating a shell script containing the commands you want to run), and then telling cron when to run it.
You create a shell script using a standard text editor. Create the new shell script with the command:
and enter the following commands:
Note: When cron jobs run they run as the cron user which has a very limited PATH in its environment. Be sure to preceed all commands with the paths to the commands. To find out the path to a command you can use the whereis command followed by the name of the command. For example:
Normally when you patch a daemon you'll want to restart that daemon to make sure the patches take effect. However, since you won't know which daemon got patched with this automated process there's no way to know which daemons to restart so simply restarting the system is the safest way to go.
Save the file (Ctrl-X, y, Enter) and then change the permissions to make it executable using the command:
chmod 755 /usr/local/security-patches.sh
This is a very basic script. You'll probably want to set up some 'if' statements which test to make sure you got connected and check the success of the apt-get command.
How can you check to see if apt-get executed successfully? DOS had an ERRORLEVEL environment variable you could check the value of to determine the success of a command. In Linux/UNIX it's called the "exit status" and the ? represents this environment variable. Entering the command:
will display the exit status of the most recently run command. (Remember that you have to put the $ in front of an environment variable when referring to its value as with the echo command or the when using an 'if' statement in a shell script.) A zero indicates success (just remember "zero errors") and anything greater than a zero represents some kind of problem.
Now we tell cron when to run it.
cron is the memory-resident scheduler daemon that can execute commands and scripts at regular intervals. The jobs it runs are listed in a crontab file which is edited using the crontab utility.
The following command will list, if there is one, the contents of your current crontab file:
You'll want to add an entry to the crontab file for the security-patches.sh shell script. The format of the file is basically:
<when-to-run values> <what to run>
The "when to run" is a field which consists of five space-delimited values in the following order:
You can use the asterisk (*) to specify all values for any given entry. For example, to run a job every Saturday at 11:15 pm you would use the following values:
- Minutes past the hour (0 to 59)
- Hour of the day (0 to 23)
- Day of the month (1 to 31)
- Month of the year (1 to 12)
- Day of the week (0=Sunday to 6=Saturday)
15 23 * * 6
Be careful with these values. You'd rarely want to enter a number for the "Day of the Month" and the "Day of the Week". For example, if you entered:
15 23 3 * 6
cron would only run the job when the 3rd falls on a Saturday.
You can enter multiple values for each entry by separating them with commas. We set up cron jobs to check the logs twice a day, every weekday, at noon and again at 5 pm. This required the following values:
0 12,17 * * 1,2,3,4,5
Remember that the space is the delimiter between the five entries.
The "what to run" is what you want to cron to execute and is basically anything you can enter at a shell prompt. Any command, including pipes and redirects, shell script, etc. Since we want to run the security-patches.sh shell script, which we saved to the /usr/local directory, our crontab entry ends up looking like this:
0 3 * * 0 /usr/local/security-patches.sh
Note that only a space separates the "what to run" value from the last of the "when to run" values. The "when to run values above will run the security-patches.sh shell script every Sunday morning at 3 a.m.
So now that we know what our entry will be, we have to use crontab to enter it into the crontab file. At the shell prompt, enter:
If you get prompted to choose an editor select nano. The current crontab file automatically gets loaded and is most likely empty. Simply enter your new crontab entry and close the editor. You can check to make sure your entry was added to the crontab file by entering the following command at the shell prompt:
Note that you do not have to be logged into the console for cron jobs to run.
Did you find this page helpful ?
If so, please help keep this site operating
by using our DVD or book pages.
Site, content, documents, original images Copyright © 2003-2013 Keith Parkansky All rights reserved
Duplication of any portion of this site or the material contained herein without
the express written consent of Keith Parkansky, USA is strictly prohibited.
This site is in no way affiliated with the Debian Project, the debian.org Web site, or
Software In The Public Interest, Inc. No endorsement of this site by the Debian Project
or Software In the Public Interest is expressed or implied. Debian and the Debian logo
are registered trademarks of Software In The Public Interest, Inc. Linux is a registered
trademark of Linus Torvalds. The Tux penguin graphic is the creation of Larry Ewing.
IN NO EVENT WILL KEITH PARKANSKY OR BLUEHOST INCORPORATED OR ANY OF ITS' SUBSIDIARIES BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE, COMMONLY REFERRED TO AS THE "ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY OR BLUEHOST INCORPORATED OR ANY OF ITS' SUBSIDIARIES SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE, COMMONLY REFERRED TO AS THE "ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. ALL INFORMATION, METHODS, HTML OR COMPUTER CODE IS PROVIDED STRICTLY "AS IS" WITH NO GUARANTY OF ACCURACY AND/OR COMPLETENESS. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.