Installing Linux

= Which Linux =

Up until june 2018 I used to recommend Kubuntu or Xubuntu, which are Ubuntu derivatives. They are not perfect, but I found the other Linux distributions I tried even more annoying. However, with release 1.20 of MATE Desktop, I now recommend Ubuntu MATE, but only from version 18.04 onwards.

If you do not trust Canonical, the american company behind Ubuntu, you can always go for plain Debian. Although using a derivative like Xubuntu or Ubuntu MATE reduces exposure to Canonical's whimsies, like the Unity interface or the "lens" spyware.

Manjaro has become a good contender lately. I like the idea of a rolling distribution that is more careful and easy to install and maintain than Arch. The main reason why I have not given it a go yet is the lack of home directory encryption. You can manually set it up, but it's not easy and I fear running a non-standard system configuration. I do not want full disk encryption, I want a per-user encryption. And ext4's native encryption is not user-friendly yet. Unfortunately, Ubuntu 18.04's installer no longer offers the home encryption option. I hope it either comes back soon, or ext4 finally gets ready for normal users.

Kubuntu vs Xubuntu vs Ubuntu MATE
Kubuntu uses the KDE desktop environment. After so many years, we need to face the truth: KDE will never turn into a polished, reliable desktop environment. Something has been wrong for a very long time in the KDE development team. Expect constant annoyance.

Xubuntu uses the Xfce desktop environment, which is faster and more reliable. The trouble is, it is not as flexible, and it also lacks basic features, like: To top it all, Xfce/Xubuntu ships with insane defaults, and reconfiguring them is not intuitive. Furthermore, development has pretty much stalled, and some bugs have been there forever.
 * You cannot turn off the laptop touchpad automatically when plugging a USB mouse.
 * The standard file manager Thunar does not have a split view, unlike everybody else. Its path autocompletion is case sensitive, which is counterintuitive. It also tends to crash every now and then.
 * The window resize borders are too thin, and it is not easy to make then thicker.

In the meantime, the MATE Desktop has come of age, so I now recommend Ubuntu MATE, but only from version 18.04 onwards.

The good news is that, after installing Kubuntu, Xubuntu or Ubuntu MATE, you can easily switch to the other one, as they share the same Ubuntu base. This way, you can comfortably try them all out.

General Kubuntu/Xubuntu/Ubuntu MATE Advice

 * For new installations, go for Ubuntu MATE 18.04 LTS or whichever small version the latest is.
 * For existing Ubuntu installations, versions 16.04.0 and 16.04.1 are stuck with Kernel 4.4 and an older X-Server, but there is little reason to stay with those older versions. See LTS Hardware Enablement Stack for more detailed information, and see section below too.
 * Skip all the non-LTS versions like 16.10.
 * Wait at least 6 months to upgrade to the next LTS version. In my experience, Ubuntu has to ship on a particular date, and they do not really care much if there are still annoying bugs at that date, or whether they remain for months afterwards.

= Things to do before and after installing Ubuntu =

System configuration

 * Check the BIOS settings:
 * Is the date/time correct?
 * Is AHCI for SATA drives enabled? This is especially important for SSD disks.
 * Is booting only allowed from the Linux hard disk?
 * Consider turning disk encryption on during installation. See section below for more information.
 * Is the Linux date/time and timezone correct? You may need to install package "ntp" to keep the time synchronised over the network.
 * Make the Grub bootloader accessible. Otherwise, if you PC ever fails to start and you need access to the bootloader, it will probably be too late. You have 3 options:
 * Option 1) Install package grub-customizer from https://launchpad.net/grub-customizer, and then start the Grub Customizer tool. Enable the "show menu" option, and set the "Boot default entry after" to 1, so that you have 1 second to press the arrow down key (for example) and stop the boot process. I have seen lately some criticism of grub-customizer, so you may want choose another option below.
 * Option 2) For Kubuntu, install package kde-config-grub2, and you can configure it with the mouse under System Settings, Startup and Shutdown, GRUB2 Bootloader. Choose "Automatically boot..." after 1 second, so that you have 1 second to press the arrow down key (for example) and stop the boot process. As a bonus, you can comfortably remove old kernels on this window too. Unfortunately, that does not seem to remove the associated header files, so it's not really worth it. See section below.
 * Option 3) Manually edit /etc/default/grub (maybe with sudoedit or GVfs admin backend's admin:// prefix).
 * From Ubuntu 18.04 onwards, set GRUB_TIMEOUT=1, and set GRUB_TIMEOUT_STYLE=menu.
 * For Ubuntu up to 16.04, add GRUB_TIMEOUT=1 and comment out GRUB_HIDDEN_TIMEOUT.
 * You may also want to remove kernel options quiet and splash in order to see the boot messages.
 * Finally, run sudo update-grub2.
 * Check the available proprietary drivers. I am not sure about installing proprietary (non-open-source) drivers for AMD or nVidia graphics cards, but using the latest processor microcode is probably a good idea.
 * Enable Ctrl+Alt+Backspace to kill the current graphical session. If you make a mistake and/or your system becomes unresponsive, this key combination may be the safest and quickest way out. On the MATE Desktop, you can turn this on under Control Center, Keyboards, Layouts, "Options...", "Key sequence to kill the X server". Otherwise, edit "/etc/default/keyboard" (maybe with sudoedit or GVfs admin backend's admin:// prefix), find variable XKBOPTIONS and set it to "terminate:ctrl_alt_bksp".
 * Disable the compositing window manager. You want a lean, fast, stable desktop environment, instead of fancy 3D effects that tend to trigger obscure graphics driver bugs. On the MATE Desktop, go to "Control Center", Group "Look and Feel", "Windows", "General", and disable "Enable software compositing window manager".
 * Prepare to access Windows PCs over the network: Install packages cifs-utils and libnss-winbind, edit file /etc/nsswitch.conf (maybe with sudoedit or GVfs admin backend's admin:// prefix), and add "wins" to the "hosts:" line, so that it looks like this: hosts:  files mdns4_minimal [NOTFOUND=return] dns wins
 * Install some useful packages:
 * Synaptic seems to be the only reasonable package manager for Ubuntu. Install also package apt-xapian-index (which is not automatically installed, at least on Xubuntu 16.04), or you will miss the very convenient "Quick filter" field in Synaptic. The index is very slow to build, but the standard search function is very uncomfortable.
 * Typical applications are VLC and Gimp.
 * You may want to upgrade to a more recent version of LibreOffice. Unfortunately, the Ubuntu PPA repositories do not have the current "still" version, just the current "fresh" one. Installing a particular version is not worth it, as new versions are released pretty quickly, so you would be constantly updating the PPA repository. In order to install the "fresh" PPA: sudo add-apt-repository ppa:libreoffice/ppa && sudo apt-get update Install also the appropriate myspell-xx and mythes-xx packages to get spelling dictionary and thesaurus support for the languages you need.
 * Install package "trash-cli" and get used to deleting files with "trash" instead of "rm". If you make a mistake and delete the wrong file, you'll be able to recover it from the desktop trashcan/wastebin.
 * Install package "exfat-fuse", in case some external disk has been formatted by Windows with the exFAT filesystem.
 * You may want to install legally-encumbered codecs and DVD playback: Up to Ubuntu 15.04: sudo apt-get install ubuntu-restricted-extras libavcodec-extra sudo apt-get install libdvdread4 sudo /usr/share/doc/libdvdread4/install-css.sh From Ubuntu 15.10 onwards, libdvd-pkg is available to ease the installation of libdvdcss: sudo apt-get install libdvd-pkg sudo dpkg-reconfigure libdvd-pkg
 * By default, all accounts can access other user's home directories. This goes against intuitive expectation and is an incredible security and privacy oversight. In order to stop this:
 * Issue the following command inside each existing user account:     chmod g-rwx,o-rwx "$HOME"  For users other than the current one, use:      sudo chmod g-rwx,o-rwx ~username.
 * For eventual new users, edit /etc/adduser.conf and change DIRMODE from 0755 (rwxr-xr-x) to 0700 (rwx--). Alternatively, 0750 (rwxr-x---) allows access to users of the same group too.


 * Make sure that IPv6 privacy is enabled. Otherwise, your public IPv6 address leaks your MAC address, which can even reveal what kind of computer you are using.


 * This is necessary for Ubuntu 16.04, but should be the default for Ubuntu 18.04.


 * RFC 7217 is an extension to IPv6 that allows the primary, static IPv6 address to be generated from an opaque hash which does not reveal any information. There is also RFC 4941 aka "Privacy Addressing" that lets outbound connections use temporary, randomly generated addresses, which are rotated every few hours. These extensions are independent from each other. RFC 7217 is a good start, but you can also enable RFC 4941 separately.


 * The following applies for Linux distributions that use the Network Manager. Alternatively, privacy extensions can also be enabled at Linux kernel SLAAC level, see sysctl net.ipv6.conf.default.stable_secret.


 * Check whether the privacy modes are enabled:

nmcli connection show nmcli connection show "name or ID" | grep -e 'ipv6.addr-gen-mode'  -e 'ipv6.ip6-privacy'


 * ipv6.addr-gen-mode is for RFC 7217. Value eui64 in means no privacy. You want stable-privacy.


 * ipv6.ip6-privacy is for RFC 4941. Value 0 means disabled.


 * In order to enable RFC 7217 for a single network connection:

nmcli connection modify "name or ID" ipv6.addr-gen-mode  stable-privacy


 * To make this the default for new connections, edit /etc/NetworkManager/NetworkManager.conf (maybe with sudoedit or GVfs admin backend's admin:// prefix), and add this option:

[connection] ipv6.addr-gen-mode=stable-privacy


 * RFC 4941 is available with the Network Manager GUI: Edit a connection, to go the 'IPv6 Settings' tab, and choose under "IPv6 privacy extensions" one of the "Enabled" options. Option "Enabled (prefer temporary address)" maps to "ipv6.ip6-privacy: 2 (enabled, prefer temporary IP)".


 * Maybe configure some of the usual system tools to run as root without password. See the section below for more information.
 * If you are preparing a system for an inexperienced user, consider some way of remote control in order to help him or her later on. I suggest creating a desktop icon for my RemoteControlPrompt.sh script.

Performance optimisation

 * Reduce the amount of reserved disk space. On ext4 filesystems, Linux reserves some disk space for privileged processes and to help prevent fragmentation. The default amount of 5 % comes from the times where hard disks were much smaller. You can reduce it to 1 % with command "sudo tune2fs -m 1.0 /dev/sdXY". In order to find out how much is reserved: sudo tune2fs -l /dev/sdXY | grep -e "Reserved block count:" -e "Block count:" Use "sudo fdisk -l" to list your hard disk partitions. If you used LVM during installation, your main filesystem could be called something like "/dev/mapper/xubuntu--vg-root".
 * Maybe reduce the swappiness from the default 60 to 10. Whether this will improve swapping is debatable. It is probably a good idea only if you cannot move your swap partition to another drive. Edit file "/etc/sysctl.conf" (maybe with sudoedit or GVfs admin backend's admin:// prefix), and add or modify the swappiness entry to "vm.swappiness = 10". After a reboot, you can check the current value with cat /proc/sys/vm/swappiness.
 * Optimise filesystem performance by editing /etc/fstab as root and adding options "noatime,commit=30" to your ext4 filesystems. noatime implies nodiratime, so you do not need both. noatime may break some special software, like the Mutt e-mail client, but you will probably never be affected. Note that alternative relatime may trigger extra reads in order to compare file and directory dates, and it is not quite honest about the last access time, which can also be problematic. From Linux kernel version 4.0, there is a lazytime mount option for Ext4 that may be worth considering.

# How to see the current mount options: mount -l | grep ext4 # How to test this change, option 1: # Sort by and show last access time, most recent last. # No file should have the current date or time. ls -l -t -u --reverse --time-style=full-iso "$HOME" # How to test this change, option 2: # Check if accessing some old file updates its last access time: SOME_OLD_FILE="$HOME/some_old_file" sh -c 'stat --format="Lass access time before: %x" "$SOME_OLD_FILE"  &&  cat "$SOME_OLD_FILE" >/dev/null  &&  stat --format="Lass access time after : %x" "$SOME_OLD_FILE"'
 * Consider using the Budget Fair Queuing (BFQ) I/O scheduler. It is probably the best choice for desktop systems, but apparently it still has problems as of nov 2018, and is not enabled by default in many Linux distributions.
 * Disable unnecessary indexers:
 * updatedb / locate database. See mlocate conflicting package.
 * (Kubuntu only) KDE Baloo (formerly Nepomuk). Go to System Settings, Desktop Search or simply Search, and add your home folder, which acts as an indication to turn the indexer off. Later note: they have finally added an "Enable Desktop Search" checkbox with the latest update. Alternatively, disable it with command "balooctl disable".
 * (Kubuntu only) KDE Akonadi. Go to System Settings, Personal Information, stop the service.
 * Prevent unexpected system updates. Unexpected package manager activity in the background can render your PC slow or even unresponsive when you are in a hurry. Configure the system updates to check less often (weekly or every fortnight) and disable automatic installation.

For Ubuntu MATE / MATE Desktop

 * Ubuntu MATE ships with a strange desktop layout by default. Most people are used to a Windows 95-style interface, with one menu button on the bottom-left corner, and just one panel (the taskbar) at the bottom. That's good enough for most of us. Advanced users will quickly find their way around and turn on virtual desktops etc., but laymen need something easy and familiar to begin with. I do not understand why Xubuntu/Xfce and Ubuntu MATE have such bad defaults. I sense immediate resistance from users of other very popular operating system just because of this. So the first thing you'll want to do is to rearrange it to look like the traditional Windows 95 desktop. Fortunately, it is not hard to do, but it does take a few minutes. Right-click on the panel items, untick option "Lock To Panel", right-click again, choose "Move", and move each item as desired.
 * The Advanced MATE Menu (mate-menu.py) is actually more comfortable and more easily customizable than the default Brisk menu. In order to use it, right-click on the pane, choose "Add to Panel...", and select "MATE Menu". You will probably want to enable option "Always start with favorites pane", which should actually be the default, like in KDE, Xfce's Whisker Menu and Microsoft Windows 10. Otherwise, you have to click once more very often to start the most-used applications, which kind of defeats the concept of "favourites". Why MATE's Brisk menu does not do or allow that, is beyond me.
 * Configure Ctrl+Esc to bring up the system menu. Unfortunately, you cannot do this with the settings dialog from either the Brisk Menu or the Advanced MATE Menu, at least with MATE Desktop version 1.20. Due to a shortcoming regarding the Esc key, pressing Ctrl+Esc yields "Super_L", which is not correct. Options for the Advanced MATE Menu are:
 * Option 1) Start dconf-editor, open org.mate.mate-menu, edit entry hot-key and enter string "Escape" (without the quotes). 'Primary' actually means the Ctrl key.
 * Option 2) Issue the following command:   gsettings set org.mate.mate-menu hot-key "Escape"
 * Useful application shortcuts to add under Control Center, "Keyboard Shortcuts" (they end up in a new section called "Custom Shortcuts"):
 * Ctrl+Alt+Escape: xkill
 * Ctrl+Shift+Escape: mate-system-monitor
 * Remove some global keyboard shortcuts that tend to conflict with other applications. Good candidates are the workspace switching shortcuts.
 * Install a better image viewer. I recommend these (in this order): Geeqie, Eye of MATE (the default), nomacs, gThumb.
 * The "Shut Down..." applet offers a convenient panel button to power your system down.
 * The excellent Arch Linux wiki has more tips for the MATE Desktop.

The Window Resizing Borders Are Too Thin
The window resizing borders are almost always way too thin, making it very difficult to resize windows. In this day and age, it is a very frustrating problem. This bugs every new user every single time since many years. You will find more information here and here.

Your options are:


 * Option 1) Get used to resizing windows with Alt+ . Try it near the window sides or corners. That is pretty intuitive and comfortable after all. Alt+ lets you move the windows. After you get used to this, you'll miss it dearly on other Operating Systems.


 * Option 2) Choose under "Control Center", "Look and Feel", "Appearance", a UI theme with thicker borders. Which ones have thicker borders, and how thick they are (usually still too thin anyway), is not apparent until you test each theme. Unfortunately, themes change other things that you may not like, so this is an all-or-nothing approach. MATE's default theme Menta, and BlueMenta too, have slightly thicker borders and may be enough. Unfortunately, Ubuntu MATE defaults to Ambiant-MATE, which has extremely thin borders, but Menta and BlueMenta are still available.


 * Option 3) Edit the current UI theme manually in order to increase the window border size. This may be the best option for users unwilling to get used to the Alt+ method. It can also help if you are running virtual machines and trying to resize windows with the mouse is intercepted by the host. Or if holding buttons down is difficult with your laptop's touchpad. However, keep in mind that a system upgrade can overwrite your manual changes at any point in time (unless you want to make a local copy with cp -r /usr/share/themes/ ~/.themes/ , but then you will miss out on eventual fixes and improvements to the theme). It is hard to automate this task, because the syntax is not actually XML, but GMarkup. That inevitably leads to problems, like Bug 514306 - Many Metacity themes contain invalid XML. There is a blog article that explains Metacity themes in detail. But manually editing the files is not hard. The steps are:
 * Find out the current UI theme's name. Either look at "Control Center", "Look and Feel", "Apperance", or type the following command:    gsettings  get org.gnome.desktop.interface  gtk-theme
 * Under /usr/share/themes/ /metacity-1, edit the corresponding metacity-theme-X.xml files, where X is the version number. The may be several versions for a theme. You will need to edit them as root, and a convenient way is to use sudoedit or GVfs admin backend's admin:// prefix.
 * Find element frame_geometry_normal, and change the following elements underneath: left_width, right_width and bottom_height. I suggest increasing the value from 1 to 5.
 * You can check out the results immediately with this command:    marco-message reload-theme


 * Option 4) Resize with the window's top-left and top-right corners, which tend to be bigger than the rest of the window resizing borders. Which corners are wider depends on the UI theme and has often to do with the position of the window buttons (maximise, minimise, restore and close buttons).


 * Option 5) Right-click on the window's title bar and choose pop-up menu option "Resize". When you move the mouse, you will resize the window by the top-left or top-right corner, depending on which one was nearest the right-click you did to bring up the pop-up menu.


 * Option 6) Resize windows with the keyboard. By default, the keyboard shortcut to start window resizing is Alt+F8. Then use the arrow keys to resize the window. Hold Shift to jump to the next snapping point (another window, or the end of the screen). Hold Ctrl to adjust in fine steps. Hold Alt to change the corner you are resizing/moving. Pressing Return will save your resize, and pressing Escape will revert to the original size.


 * Option 7) Switch your compositing window manager to Compiz. The shadow around the window is included into the window resizing trigger area, whereas that is not the case with MATE's Marco. Changing such as system component may not be for the faint of heart though.

For Xubuntu/Xfce

 * (only up to Xubuntu 14.04) The default menu applet, Applications Menu, is no good. Use Whisker Menu instead.
 * (only up to Xubuntu 14.04) The default menu editor, Alacarte, does not seem to work well. Install and use MenuLibre instead.
 * Disable "Use mouse wheel on title bar to roll up the window" under "Settings", "Window Manager Tweaks", "Accesibility". You normally do not pay attention to the exact position of the mouse cursor when you are scrolling with the mouse wheel, and it is disconcerting to see a window suddenly collapse to just the title bar, with no obvious way to restore it to its normal size.
 * The Whisker menu should show "Firefox" and "Chromium" instead of 2 "web browser" entries that you can only tell apart with their icons. Otherwise, right-click on the Whisker icon, "Properties", "Appearance" tab, untick the "Show generic names" option. Alternatively, if that has happened in the favourites: start MenuLibre, look at the menu item for "Internet", and in field "common name" replace "web browser" with Firefox etc. Save the entry.
 * When you maximise windows, you may find that their bottom part is obscured by the Xfce panel at the bottom (the taskbar). Go to the Panel Preferences and disable option "Don't reserve space on borders". That this happens at all, and also the option's name, is just unbelievable.
 * Install package xfce4-pulseaudio-plugin. Otherwise, you get no volume icon on the taskbar (!).
 * Install package xfce4-goodies.
 * Add to the taskbar the 'devices' item, in order to comfortably unmount USB sticks.
 * If you find the sleep/suspend behaviour annoying, add an icon (a Quicklauncher) with the following command: sh -c "xscreensaver-command -lock && xfce4-session-logout --suspend && xscreensaver-command -deactivate" That does the sane thing: lock the screen, suspend, and ask for the password on resume.
 * If you play with themes, a reasonable one is "Greybird", which is the default for Xubuntu (there is no option to restore the theme to the default one).
 * If the window resize borders are too thin, your options are: 1) Choose under "Settings", "Window Manager" a theme with thicker borders, like 'Kokodi'. Which ones have thicker borders, and how thick they are (usually too thin anyway), is not apparent until you click on each theme. Unfortunately, themes change other things that you may not like, but it is an all-or-nothing approach. Option 2) is to get used to resizing windows with Alt+right mouse button, which is pretty comfortable after all. Option 3) is to resize with the window's top-left and top-right corners, which tend to be bigger than the rest of the window resizing borders.
 * Disable desktop zoom with Alt+mouse wheel if it bothers you:
 * Start "xfce4-settings-editor" (the "Settings Editor" is not the standard "Settings" window).
 * Go to Channel "xfwm4".
 * Disable Property "zoom_desktop".
 * Remove some global keyboard shortcuts that tend to conflict with other apps, like Ctrl+F4: "Settings", "Window Manager", "Keyboard" tab.
 * Useful application shortcuts under Settings, "Keyboard", "Application Shortcuts":
 * Ctrl+Alt+Escape: xkill
 * Ctrl+Shift+Escape: xfce4-taskmanager
 * A useful format string for Xfce's clock on the taskbar is: %d %b, %H:%M
 * Install a better image viewer. I recommend these (in this order): Geeqie, Eye of GNOME, nomacs, gThumb.

For Kubuntu/KDE

 * Choose "Start with an empty session" in "System Settings", "Startup and Shutdown", "Session Management". You will probably want to untick option "Confirm logout" too.
 * Configure Keyboard shortcuts like under Windows: Go to "System Settings", "Shortcuts and Gestures", and then:
 * Ctrl+Esc should bring up the start menu: "Global Keyboard Shortcuts", "Plasma Desktop Shell", "Activate Application Launcher Widget".
 * Ctrl+Shift+Esc should bring up the Task Manager: "Custom Shortcuts", "Edit", "New Group", then, in that group, "New", "Global Shortcut", "Command/URL", "Trigger", set Ctrl+Shift+Esc, "Action", enter "ksysguard". Make sure the new group is active by ticking the box next to its name.
 * Alt+Space should bring up the window menu: "Global Keyboard Shortcuts", "Kwin", "Window Operations Menu" ("Fensteraktionen-Menü in German).
 * Remove some keyboard shortcuts that tend to conflict with other apps, like the following (is there a way to find a KDE shortcut by key combination in all "KDE components"?):
 * Global Keyboard Shortcuts, KWin: Ctrl+F1 ... Ctrl+F7.
 * If the window resize borders are too thin and therefore hard to hit: Go to "System Settings", "Workspace Appearance", "Window Decorations", "Configure Decoration...", "General", "Border size".
 * Add pavucontrol ("PulseAudio Volume Control") to your favourites. You may need to install package pavucontrol first. The standard volume control applet does not let you choose where an application like Skype should be recording the audio from.
 * Install plug-ins for the Dolphin file manager. Install package ruby. Then open the file manager, go to Control, Configure Dolphin..., Services, Download New Services.... Add "Root Actions Servicemenu" and "Scan with ClamAV".
 * The User Manager tool in System Settings is useless. Install package kuser, and run "gksudo kuser" instead.
 * Minimised windows get very pale taskbar icons and captions, making it hard to tell which window they represent. To fix that for the icons: Go to System Settings, Application Appearance, Icons, Advanced, Desktop, click on Set Effect for the Disabled icon, select "No Effect" and untick the "Semi-transparent" option. Unfortunately, I don't know how to fix that for the caption texts yet.
 * If connecting a USB stick does not automatically mount it, or it asks too much confirmation, look at System Settings, Removable Devices.
 * Limit the maximum Trash size. The default of 10 % can be pretty large on today's hard disks, and a large Trash can slow file deletion down considerably. It is probably a good idea to delete older files automatically, so that it does not become so big over time. You can adjust the Trash limits inside Dolphin file manager's settings.
 * emacs warns: "Buffer 'somefile.txt" still has clients; kill it?". Go to System Settings, File Associations, text, plain, emacsclient, Edit..., Application, "Command:", enter "emacsclient --no-wait".

Preventing Password Prompts
Most Linux distributions have the annoying habit of asking for your password every time you need elevated privileges. If you are installing a few software packages, and your password is long and complicated, that can quickly get on your nerves. Besides, I do not understand why the automatic system updater, which should actually run unattended by default, wants a password every time.

Below are some ways to avoid such password prompts. But bear in mind that all of these options decrease system security in one way or another.

Option 1) Write setuid wrappers
You can write small wrapper shell scripts with the setuid flag set, so that you can start programs as root without a password prompt.

The trouble is, setuid is disabled by default in Debian for shell scripts. There are other workarounds, but it is not worth the trouble.

Option 2) Edit /etc/sudoers
This is the kind text I normally place in my /etc/sudoers.d/my_personal_no_password_sudoers file:

# ALWAYS edit file "/etc/sudoers" with "sudo visudo", or in this case, # "sudo visudo -f /etc/sudoers.d/my_personal_no_password_sudoers", # because visudo edits the sudoers file in a safe fashion. # Otherwise, the smallest syntax error can lock you out of the system. # # Instead of "%sudo" below, which makes the rule apply to all users that belong # to the 'sudo' group, you can specify a particular user account like "mylogin". # # The 'ALL' in 'ALL=(root)' is the hostname. # # The "" below at the end of some commands limits the effect of that # permissions line to running the application with no arguments. # # Note that you cannot give NOPASSWD permissions to any file, like some script # under your home directory, because sudo seems to carefully check permissions # along the way. Files under /usr/sbin/ (for example) are fine. # # The order of the entries is important, the last one wins. # Traditional apt-get. %sudo ALL=(root) NOPASSWD: /usr/bin/apt-get install * %sudo ALL=(root) NOPASSWD: /usr/bin/apt-get update %sudo ALL=(root) NOPASSWD: /usr/bin/apt-get upgrade # From Ubuntu 16.04, you are encouraged to use "apt" instead of "apt-get". %sudo ALL=(root) NOPASSWD: /usr/bin/apt install * %sudo ALL=(root) NOPASSWD: /usr/bin/apt update %sudo ALL=(root) NOPASSWD: /usr/bin/apt upgrade

The above works best for command-line programs. For GUI tools, it is best to use the polkit method described below. Otherwise, you may have to change your system menu items for Synaptic, the system Updater and so on, in order to match the lines above. For example, use MenuLibre in order to change menu item Synaptic to run "gksudo synaptic" instead. On KDE, you may have to use "kdesudo" instead of "gksudo". Untick "run as a different user", and untick also "Enable launch feedback", as it probably gets confused because of the root user it is running the application as. Then use the new or modified icons to start the applications (like Synaptic) as root without password.

I have written a script to help automate creating and editing the file above.

Option 3) Configure polkit
Ubuntu is using polkit since 16.04 in order to manage elevated privileges, especially for GUI applications. For command-line applications, most people use /etc/sudoers instead.

Say you want to start Synaptic without a password. You need to start it with script synaptic-pkexec, which should already be on your system, and is just a wrapper script that does this:    pkexec "/usr/sbin/synaptic" "$@" The reason why there is a separate -pkexec script is probably that Synaptic can also run without root privileges. Take a note of the Action name inside the Details section in the authentication dialog that pops up. In this case, it is com.ubuntu.pkexec.synaptic.

Other wrappers, like gufw-pkexec for the firewall configuration, do not seem to be such pkexec wrappers. Users just run "gufw" (and not the wrapper), and polkit picks that up somehow. In this case, the authentication dialog shows that the Action name is com.ubuntu.pkexec.gufw.

Yet another example is pressing the Unlock button on the "Time and Date Settings" dialog. The Action name then is org.freedesktop.systemtoolsbackends.set.

You have now the following options:

Option a) Add a file under localauthority/10-vendor.d
The following applies to polkit up to version 0.105, which is what comes with Ubuntu 16.04 and 18.04.1. Newer versions use JavaScript configuration files instead of .pkla files.

Add a file to your system named like this:

/var/lib/polkit-1/localauthority/10-vendor.d/49-my_personal_nopasswd_global.pkla

You can then use sudoedit or GVfs admin backend's admin:// prefix in order to edit it.

The contents should look like these (this example has 3 Actions):

[No pkexec password prompt for sudoers] Identity=unix-group:sudo Action=com.ubuntu.pkexec.synaptic;org.x.lightdm-settings;com.ubuntu.pkexec.gufw ResultActive=yes

In the above example, all users that are member of the sudo group can run the 3 given actions without entering a password.

Action names can use wildcards. For example, org.freedesktop.NetworkManager.* would grant the users permission to run all of the functions offered by the Network Manager.

I have written a script to help automate creating and editing the file above.

Option b) Add a file under rules.d
Option 2) The Arch Linux wiki on polkit suggests overriding the rules by creating your files in a separate dir:

"Authorization rules that overrule the default settings are laid out in a set of directories as described above. For all purposes relating to personal configuration of a single system, only /etc/polkit-1/rules.d should be used."

However, subdir "rules.d" does not exist in Ubuntu. I do not know whether creating it would help.

Option c) Use a polkit GUI
The Arch Linux wiki suggesst using GUI Polkit-Explorer, which unfortunately is not available in Ubuntu's repositories as of versions 16.04 or 18.04.

Always Reboot after an Update
Be careful with updates, as running applications are not updated on the fly. Some of them, like Firefox, realise automatically and display a warning, but others can get confused if files underneath suddenly change. Other applications, like virt-manager, require the user to be member of a particular group to work properly, and this membership change only applies after logging out and in again. For all those reasons, the only truly safe way is to reboot after an update, and sometimes also after installing new software. See article "dnf update" considered harmful for more information.

Upgrading the Kernel Components
Every now and then, you should upgrade the kernel and X-Windows versions. Instead of Service Pack, this kind of upgrade is called LTS Hardware Enablement Stack in the Ubuntu world. Wait at least 3 months after a Hardware Enablement Stack has been released before upgrading. On recent Ubuntu versions, if you install a .2 or .3 release, this manual update is no longer necessary.

Package Manager Maintenance
You should check every now and then whether your disks are getting full. I do not know yet of a Linux distribution that warns you when you are running out of disk space. There are many GUI tools like "GNOME Disk Usage Analyzer" (in German "Festplattenbelegung analysieren", executable "baobab"), or MATE's "Disk Usage Analyzer" (executable "mate-disk-usage-analyzer") to that effect. Alternatively, issue command "df -hT", or use pydf, which is a little more user friendly. Use a tool like K4DirStat in order to find out which files are consuming too much room.

Unlike Microsoft Windows, Ubuntu automatically deletes temporary files, so your hard disk will not fill up with rubbish so quickly.

The system package manager accumulates some garbage over time. Every now and them, you can clean most of it with these commands:

sudo apt-get --assume-yes autoremove &&  sudo apt-get --assume-yes autoclean

Ubuntu should automatically remove old kernels and their associated headers after installing updated versions, but it does not remove their configuration files, so after a year's worth of updates it gets confusing, and you do not really know how many such old packages remain in the system. Up to Ubuntu 16.04, you could use a tool called purge-old-kernels, which comes with package byobu, but that has changed with Ubuntu 18.04, where this tool does nothing more than an "apt-get autoremove". In order to do a better job of removing those old kernel package configurations, check out routine apt-maintenance in my Bash .rc file.

If you run into weird errors when updating your system, the following usually helps:

sudo aptitude safe-upgrade --full-resolver

For PCs with only 512 MiB RAM
512 MiB of RAM is too little nowadays for Ubuntu-based system. Starting the package manager is already a heavy load for such a computer. Here is some suggestions:


 * Get rid of apt-xapian-index, see Fake Replacement for Debian Package apt-xapian-index
 * Switch to a lightweight Web browser like Midori. You will lose some comfort, and some pages will not display properly, but Firefox and Chromium are just too heavy.
 * Optimise your swap:
 * Move your swap partition to another drive.
 * If you have more than one drive, move the swap partition or file to the least-busy disk.
 * Try swapping to a USB stick. Here is a how-to guide.
 * If the computer has a memory card reader, you could use a fast memory card as the main swap drive. I have seen great swap performance improvements even with a standard 512 MB SD card (8.5 MB/s read speed, 2.5 MB/s write speed, 1 ms seek time) from an old digital camera connected over a cheap USB 2.0 card reader. The reason behind the improvements are probably the card's fast seek time and the lower pressure on the main hard disk.
 * If your video card has a lot of memory, some people have managed to use some of it as a swap device.
 * Reduce the swappiness from the default 60 to 10. Whether this will improve swapping is debatable. It is probably a good idea only if you cannot move your swap partition to another drive. Edit file "/etc/sysctl.conf" (maybe with sudoedit or GVfs admin backend's admin:// prefix), and add or modify the swappiness entry to "vm.swappiness = 10". After a reboot, you can check the current value with cat /proc/sys/vm/swappiness.
 * Try swapping to zram. It made things worse for me, but your mileage may vary.
 * Switch to a lightweight Linux distribution. Xubuntu or Lubuntu will not bring much. You could try Puppy Linux.

= Disk encryption =

You should always encrypt your personal data in order to protect it from prying eyes, especially on portable devices that leave your home often.

If you decide not to, or you set your computer to automatically log on without a password, then you should not bother enabling encryption, as that would bring only unnecessary complication. In this case, you can stop reading this section now.

The Ubuntu installer offers option "Encrypt my home folder" during installation. This encryption method is a good compromise among performance, manageability and security.

What the installer fails to mention is the performance implication of such a decision. Ubuntu uses eCryptfs with an AES cypher. If your CPU has no AES hardware acceleration, you will lose performance when reading and writing files.

In order to find out whether your CPU has AES instructions, use the following command:

$ cpuid | grep -i aes AES instruction = false

Alternatively, "cat /proc/cpuinfo | grep -i aes" will also do.

I have an oldish netbook with a sluggish Intel Atom N450 running at 1.66 GHz (1 core with hyperthreading and 512 MiB cache), which actually was the motivation behind writing this article. As the author of the Quick Disk Test tool, I recently lost quite some time debugging a non-existent disk performance issue on this laptop. I had installed an SSD disk and wondered about the abysmal disk performance. I looked at everything: SATA and AHCI BIOS settings, DMA settings in Linux, I even replaced the disk.

It turns out that sequential read performance on the Netbook drops from 56 MiB/s, using 23 % CPU, to 25 MiB/s using over 50 % CPU (one full CPU thread). Sequential write performance drops from 50  KiB/s, using 35 % CPU, to 18 KiB/s using over 50 % CPU. I just did not realise that disk encryption could cost so much.

The CPU is the limiting factor here, so replacing the traditional hard disk with an SSD does not improve performance. Note that this only affects reads and writes under your home directory. System files and application executables are not encrypted and run at full speed.

I repeated the test on a faster Intel Core i3 M380 with 3 MiB cache running at 2.53GHz. This CPU does not support AES either. When reading from or writing to an encrypted home directory, the CPU load difference amounts to 20 %. You can tell that it is due to encryption because the CPU time reported by tools like top is not accounted to user time, but to system time. Because the CPU is faster, I did not lose much read performance, but write performance dropped from 44 MiB/s to 32 MiB/s.

= Ubuntu MATE Ramblings =


 * Autocompletion in Caja's location bar should be case insensitive. I filed a bug about this in december 2017.

= KDE Ramblings =

KDE Tips

 * Useful keyboard shortcuts are:
 * Ctrl+Alt+Esc: Kill window on click, similar to starting xkill.
 * Ctrl+Alt+L: Lock desktop.
 * Emptying the Trash takes forever, and manually deleting the ".Trash-1000" directory with the mouse tends to yield an error. To overcome it, hold the shift key while pressing the delete key on that directory. Alternatively, right-click on the folder to get the pop-up menu, and then hold the shift key and watch how the "Move to Wastebin" entry mutates to "Delete". Release the shift key and it will go back to normal. That only works if there is no submenu open at that time.

KDE Rants
KDE Rant about ".directory" files:
 * KDE tends to litter your hard disk with hidden ".directory" files, and there is no way to prevent it. It just remember the view settings for the last N directories, like Windows does, and it should cache those settings somewhere under $HOME instead of creating those pesky files all over the place.
 * The Dolphin file manager does not display MP3 ID tags like everybody else. Older versions used to (!).
 * The "safely remove" eject icon for USB drives is often missing from the "device notifier" pop-up window. Sometimes it is because the file system has not been mounted automatically. But sometimes, there is no real reason. If you then open a Dolphin window and right-click on the USB drive mount on the left panel, the eject option is shown there.