openSUSE 11.3 Release Notes

Copyright © 2010 Novell, Inc.

이 문서를 자유 소프트웨어 재단 발행의 GNU 자유 문서 이용 허가 계약서(버전 1.2나 그 이후 버전 중 하나)가 정하는 조건 아래 복사, 배포 혹은 수정 하는것을 허락합니다. 변경 할 수 없는 부준, 겉표지 글, 뒷표지 글은 없습니다. 이 이용 허가 계약서는 fdl.txt 파일에 있습니다.

The release notes are under constant development. Download the newest version as part of the Internet test or refer to http://www.suse.com/relnotes/i386/openSUSE/11.3/RELEASE-NOTES.en.html.

이 출시 정보에는 다음의 분야에 관한 정보가 있습니다.

오픈수세 설치
  1. N/A
일반
  1. 오픈수세 설명서
  2. LXDE—a New Desktop Environment
System Upgrade
  1. Samba: smbfs Service Renamed to cifs
  2. Incompatible IPsec and strongSwan Changes
기술
  1. Initializing Graphics with KMS (Kernel Mode Setting)
  2. Samba: mount.cifs no longer setuid root
  3. SSH Public Key Authentication

오픈수세 설치

N/A

일반

오픈수세 설명서

LXDE—a New Desktop Environment

LXDE provides a lightweight desktop environment for old and obsolete computers with limited hardware resources.

pcmanfm and libfm (LXDE File Manager and its main library) are released as RC1 versions and will get updated with the official updates (stable versions) as soon as possible.

System Upgrade

Samba: smbfs Service Renamed to cifs

Since quite some time, smbfs is no longer part of the kernel. The cifs component has replaced it. To avoid confusion with the name of the service, we finally renamed it accordingly.

During the upgrade of a system with an installed samba-client package, the state of the service will be saved, /etc/samba/smbfstab migrated to /etc/samba/cifstab, and the state of the service restored, if required.

Incompatible IPsec and strongSwan Changes

The "sha256"/"sha2_256" keywords now configure the kernel with 128-bit truncation, not the non-standard 96-bit truncation used by previous releases. If you depend on the 96-bit truncation scheme, use the new "sha256_96" keyword—this might be necessary, if you want to establish a connection with an old kernel (openSUSE 11.2 or earlier).

In those case modify the connection settings to the old and non-standard 96-bit truncation in the ipsec.conf of the new system:

esp=aes128-sha256_96

There is also an incompatible strongSwan change. IPComp in tunnel mode was fixed to strip out the duplicated outer header. This change makes IPComp tunnel mode connections incompatible with previous releases. Disable compression on such tunnels.

기술

Initializing Graphics with KMS (Kernel Mode Setting)

With openSUSE 11.3 we are switching to KMS (Kernel Mode Setting) for Intel, ATI and NVIDIA graphics, which now is our default. If you encounter problems with the KMS driver support (intel, radeon, nouveau), disable KMS by adding nomodeset to the kernel boot command line. To set this permanently, add it to the kernel command line in /boot/grub/menu.lst. This option makes sure the appropriate kernel module (intel, radeon, nouveau) is loaded with modeset=0 in initrd, i.e. KMS is disabled.

In the rare cases when loading the DRM module from initrd is a general problem and unrelated to KMS, it is even possible to disable loading of the DRM module in initrd completely. For this set the NO_KMS_IN_INITRD sysconfig variable to yes via YAST, which then recreates initrd afterwards. Reboot your machine.

On Intel without KMS the Xserver falls back to the fbdev driver (the intel driver only supports KMS); alternatively, there is the "intellegacy" driver (xorg-x11-driver-video-intel-legacy package) which still supports UMS (User Mode Setting). To use it, edit /etc/X11/xorg.conf.d/50-device.conf and change the driver entry to intellegacy.

On ATI for current GPUs it falls back to radeonhd. On NVIDIA without KMS the nv driver is used (the nouveau driver only supports KMS).

Samba: mount.cifs no longer setuid root

The mount.cifs program that is being used to mount Samba/CIFS shares will not be allowed to be run as a setuid root program. mount.cifs has been the subject of several security bugs that have arisen due to some of the users using it as a setuid root program. For e.g., tools like smb4k on the distribution require mount.cifs setuid root. So there is a chance that users of such tools set the setuid bit. This program has not been properly audited for security and the Samba team strongly recommends that it not be installed as a setuid root program at this time.

To make that very clear, this release forcibly disables the ability for mount.cifs to run as a setuid root program. People are welcome to trivially patch this out, by setting CIFS_DISABLE_SETUID_CHECK to 1, but they do so at their own peril.

A security audit and redesign of this program is in progress by the Samba Team.

SSH Public Key Authentication

In /etc/ssh/sshd_config relative paths are no longer allowed. When pointing to the authorized_keys file, use %h/ in front of the path. Otherwise logging in using SSH Public Key Authentication will fail with openSSH 5.4 and later.

Example:

PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys