The cam only has a VGA 640×480 resolution but for me that's sufficient. It is recognized by my old Ubuntu 10.10:

$ lsusb
Bus 002 Device 004: ID 18ec:3366 Arkmicro Technologies Inc
...

It looks like there is a very similar model with a different cam.
So far I use Cheese to look at my objects of interest (the two programs i found so far seem not to be intended for my purpose; http://gxsm.sourceforge.net/, http://valelab.ucsf.edu/~MM/MMwiki/index.php/Micro-Manager).

To get an idea of the magnification, here are 2 mm in the lowest magnification (4x objective times cam optics):

I looked at the obligatory leg of a fly:



The scale of the above image is 0.2mm (taken with 40x objective). At this scale you got to decide where to focus:

And finally a riddle. Can you guess what's this?

• The comercial ATI-video driver did not want to install, so I switched to
  the free driver and I'm happy since.
• The Touchpad does not work well for me in multitouch-mode.

Hardware Details


# lspci
00:00.0 Host bridge: Intel Corporation Core Processor DRAM Controller (rev 02)
00:01.0 PCI bridge: Intel Corporation Core Processor PCI Express x16 Root Port (rev 02)
00:1a.0 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 05)
00:1b.0 Audio device: Intel Corporation 5 Series/3400 Series Chipset High Definition Audio (rev 05)
00:1c.0 PCI bridge: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 1 (rev 05)
00:1c.2 PCI bridge: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 3 (rev 05)
00:1c.3 PCI bridge: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 4 (rev 05)
00:1d.0 USB Controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 05)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev a5)
00:1f.0 ISA bridge: Intel Corporation Mobile 5 Series Chipset LPC Interface Controller (rev 05)
00:1f.2 SATA controller: Intel Corporation 5 Series/3400 Series Chipset 4 port SATA AHCI Controller (rev 05)
00:1f.3 SMBus: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller (rev 05)
01:00.0 VGA compatible controller: ATI Technologies Inc M92 [Mobility Radeon HD 4500 Series]
01:00.1 Audio device: ATI Technologies Inc RV710/730
02:00.0 Network controller: Broadcom Corporation BCM4313 802.11b/g LP-PHY (rev 01)
06:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8040 PCI-E Fast Ethernet Controller
3f:00.0 Host bridge: Intel Corporation Core Processor QuickPath Architecture Generic Non-core Registers (rev 02)
3f:00.1 Host bridge: Intel Corporation Core Processor QuickPath Architecture System Address Decoder (rev 02)
3f:02.0 Host bridge: Intel Corporation Core Processor QPI Link 0 (rev 02)
3f:02.1 Host bridge: Intel Corporation Core Processor QPI Physical 0 (rev 02)
3f:02.2 Host bridge: Intel Corporation Core Processor Reserved (rev 02)
3f:02.3 Host bridge: Intel Corporation Core Processor Reserved (rev 02)



# lsusb
Bus 002 Device 004: ID 0a5c:219c Broadcom Corp.
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 1210:25f4 DigiTech
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub


Network

Both ethernet and wifi worked out of the box.

3D Acceleration

I first downloaded the commercial ATI driver from http://www2.ati.com/drivers/linux/ati-driver-installer-11-2-x86.x86_64.run
And tried to install with:

sudo ./ati-driver-installer-10-9-x86.x86_64.run --listpkg
sudo ./ati-driver-installer-10-9-x86.x86_64.run --buildpkg Ubuntu/maverick
ls fglrx*
sudo dpkg -i fglrx*

But this failed with some compilation error. So I decided to use the free driver (instructions here and here):

sudo /usr/share/ati/fglrx-uninstall.sh # (if it exists)
sudo apt-get remove --purge fglrx*
sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon
sudo apt-get install xserver-xorg-video-ati
sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core
sudo dpkg-reconfigure xserver-xorg

The free driver works well for my needs (a bit of 3D visualisation and Tuxracer now and then).

Multimedia

Sound, microphone and webcam worked out of the box (don't forget to unmute your mic if you try it!).

Touchpad

The touchpad gives me the most headaches. In normal mode it works just fine but it does not offer a scrollbar on the right. In (Gnome) System/Preferences/Mouse/Touchpad I enabled two finger scrolling, but the experience is not satisfying.

Special Keys

Fn-Volume up/down – works
Fn-Brightness up/down – works
Fn-ESC (Suspend to disk) – works
Fn-F2 (Battery status) – works
Fn-F3 (EUR) – does not work (but Alt Gr-e does)
Fn-F4 (switch screen) – did not check yet
Fn-F5 (Brightness???) – does not work
Fn-F6 (Mute) – works
Fn-F7 (???) – does not work
Fn-F8 (???) – does not work
Fn-F9 (Wifi on/off) – does not work
Fn-F12 (???) – does not work

Well, if it was lisp I wouldn't be surprised….

Some part of the fault was on my side, since i did not have any cache control implemented. Fortunally the "reload every 5 seconds"-feature supports caching. I finally implemented proper caching, but I want to show a quick and dirty solution, that would have reduced the load considerably without a proper solution.

Caching

There are different levels of caching in each layer starting from the browser cache, web cache, reverse proxies, page-caches, code caches and then you database has a query cache and your opperating system too down to the caching in your CPU. I'm only intrested browser and web cache, since I want to reduce my bandwith usage.

You may read a good description of web caches but you can also just read on.

Poor man's cache

A simple solution to aboves opera problem is to just pretend that the page does not change for a certain amount of time. That's what the following function does:

# Implements a fake cache control. Reads/sends headers so that the page will only get stale
# if it was deliverd more than $seconds seconds ago.
# If $ua_regexp is given and the user agent does not match it, then no fake caching takes place.
function fake_cache($seconds = 60, $ua_regexp = "") {
  $ims_epoch = strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']);
  $now_epoch = time();
  if ($ua_regexp && !eregi($ua_regexp, $_SERVER['HTTP_USER_AGENT'])) {
    return;
  }
  if ($now_epoch < $ims_epoch + $seconds) {
    #old version is still vald
    header("HTTP/1.0 304 Not Modified");
    exit;
  }
  $mod_gmt = gmdate("D, d M Y H:i:s", $now_epoch) ." GMT";
  $exp_gmt = gmdate("D, d M Y H:i:s", $now_epoch + $seconds) ." GMT";
  header("Expires: $exp_gmt");
  header("Last-Modified: $mod_gmt");
}

Now you can put

fake_cache();

in front of your big pages, so that they will be cached for 60 seconds or

fake_cache(600,"opera");

if you want to deliver your pages only every 10 minutes to unfriendly opera users.

Note that every first time visitor gets a current version of the page.

Opera is hammering my server, who is to blame?

I think it is bad practice by opera to offer such a "reload every 5 seconds" feature to users not aware what this could mean. This feature makes opera a bot with a nice gui. But it does not check for robots.txt nor could a webmaster limit this stupidity through it.

Of course opera only does what the user tells it to do. But I really think that opera should warn him if he choses a short reload interval and there is no caching going on. At least after restart of opera it could stop reloading the page or nag the user about it. The command line utility ping made a better decision in this respect:

me@mybox$ ping -f www.opera.com
PING front.opera.com (195.189.143.147) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms

References

• http://ontosys.com/php/cache.html
• http://www.developertutorials.com/tutorials/php/php-caching/page1.html
• http://www.mnot.net/cache_docs/
• http://www.sitepoint.com/article/caching-php-performance/
• http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9

• Your user passwords may be weak.
• If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
• Changing the password requires to log in as root.
• Some programs (e.g. qmail) rely on an accessible home directory.
• The home may accidently stay mounted after logout until the next reboot.
• Suspend to ram and suspend to disk are not treated carefully enough.
• There may be glitches in my scripts.

Prequisites

• GNU Linux (Ubuntu 9.04 Jacky Jackalope )
• TrueCrypt (I used 6.2a)
• a modern pam_exec.so (see below)

Setup

We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:

mkdir /home/private

For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you'll get a graphical user interface).

root@mybox:~# truecrypt  --text --create /home/private/bart.tc
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G

Encryption algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) AES-Twofish
 5) AES-Twofish-Serpent
 6) Serpent-AES
 7) Serpent-Twofish-AES
 8 ) Twofish-Serpent
Select [1]: 1

Hash algorithm:
 1) RIPEMD-160
 2) SHA-512
 3) Whirlpool
Select [1]: 1

Filesystem:
 1) FAT
 2) None
Select [1]: 2

Enter password: *************
WARNING: Short passwords are easy to crack using brute force techniques!

We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y

Re-enter password:*************

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:
dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag....

Done: 100.000%  Speed: 18.0 MB/s  Left: 0 s

The TrueCrypt volume has been successfully created.

Then we assign the same password as the login password to bart:

root@mybox:~# passwd bart
Enter new UNIX password:
Retype new UNIX password:

Next, we need to format the encrypted partition and move the old home directory into it:

root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc
Enter password for /home/hgerlach/newcrypt.tc: *************
Enter keyfile [none]:
Protect hidden volume? (y=Yes/n=No) [No]:

root@mybox:~#  truecrypt --text -l
1: /home/private/bart.tc /dev/mapper/truecrypt1 -

root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1
root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/
root@mybox:~# shopt -s dotglob #make dotfiles visible
root@mybox:~# mv /home/bart/* /mnt/
root@mybox:~# chown bart.users /mnt/
root@mybox:~# umount /mnt
root@mybox:~# truecrypt -d /dev/mapper/truecrypt1

Now we have to make sure the homedir gets mounted on login. Previously I used pam_mount but they dropped truecrypt support and sound somewhat angry on trucrypt (because they changed their interface). I was not so happy with pam_mount myself and reported a bug which got fixed quickly but will take some time to appear downstream in Ubuntu or Debian.

This time I decided to roll my own mount/umount script. It relies on a "modern" version of pam_exec that supports the expose_authok option. Unfortunally Ubuntu does not come with this modern version yet, so you either have to download it from me (i386-32bit, no guarantees, infected with rootkit by now) or compile it yourself. You should copy the lib to
/lib/security/pam_exec_UNSTABLE.so so pam can find it.

To the file '/etc/pam.d/common-auth' we add the line:
auth optional pam_exec_UNSTABLE.so debug expose_authtok seteuid /bin/bash /bin/cryptmount.sh
so it looks like

# /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    optional     pam_exec_UNSTABLE.so  debug expose_authtok seteuid /bin/bash /bin/cryptmount.sh

and to '/etc/pam.d/common-session' we add the line
session optional pam_exec_UNSTABLE.so seteuid /bin/bash /bin/cryptmount.sh
so it looks like

# ...
# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_ck_connector.so nox11
# end of pam-auth-update config
session optional     pam_exec_UNSTABLE.so seteuid /bin/bash /bin/cryptmount.sh

Everytime we log in or a new session starts the script /bin/cryptmount.sh gets executed.
Thats what I propose it to look like:

#!/bin/bash
# /bin/cryptmount.sh

CRYPTVOLUME=/home/private/$PAM_USER.tc
MOUNTPOINT=/home/$PAM_USER

case "$PAM_USER" in
  root | lisa ) #homedirs of root and lisa are not encrypted
    exit 0
  ;;
esac

case "$PAM_TYPE" in
      auth )
         head -c -1 | truecrypt -t  --protect-hidden=no -k "" \
                      "$CRYPTVOLUME" "$MOUNTPOINT"
      ;;
      close_session )
         MOUNTS=$(mount | grep " $MOUNTPOINT ")
         if test -z $MOUNTS ; then
           echo MOUNTS  $MOUNTS > /tmp/debug
           exit 0
         fi
         OTHER=$(who | grep "^$PAM_USER " | grep -v " $PAM_TTY ")
         if test -z "$OTHER"; then
            echo truecrypt -d $MOUNTPOINT | at now + 1 minute
         fi
      ;;
esac
exit 0

It first checks whether root or lisa (adapt to your own needs) is calling it. Both of them do not have encrypted homedirs, so the script exits. In the second case clause it checks wheter it is called while authenticating and mounts the homdir using the login passphrase or if it is called for closing a session. In the latter case it schedules unmounting the homedir in one minute.

Now bart can login and use the encrypted home. One minute after logoff the homedir will be umounted and encrypted again.

How to roll your own pam_exec_UNSTABLE.so

# get the source (after searching packages.debian.org)
wget http://ftp.de.debian.org/debian/pool/main/p/pam/pam_1.1.0.orig.tar.gz
tar xfzv pam_1.1.0.orig.tar.gz
cd Linux-PAM-1.1.0/
./configure

# install all packages needed for configure to run through
cd modules/pam_exec/
make
# yes this is dirty, but who cares.
sudo cp .libs/pam_exec.so /lib/security/pam_exec_UNSTABLE.so

hg commit --date "1234567890 0"

where 1234567890 is the seconds since epoch and 0 is the timezone. Unfortunally I was unable to comment on the above blog posting, which triggered this posting.
On unix (and bash) you can conveniently use the date command to do the conversion:

hg commit --date "$(date -u --date '2009-2-13 23:31:30' +'%s') 0"

The date command also solves the original posters question:

Actually, I regret that it isn’t possible to define a file that mercurial will use as date reference, something like hg commit -d date filexy.ext -m “commit with autodate from file xy” would be handy. This way, getting the filesystem metadata into a repository representation would be easier, but this might be a too specific request for a standard versioning system…

Just use:

hg commit -d "$(date -u -r filexy.ext +'%s') 0" -m “commit with autodate from file xy”

Figure 1:The file In is used to produce InterM that is itself
used to produce Out. Therefore Out depends directly on InterM and indirectly on In.

I agree that most programmers and administrators know GNU make. Sadly, it is ignored by most others. GNU make solves a very common problem that everyone faces when processing more than one file with more than one programm. It keeps track which file has been changed and which files have to be regenerated.

Consider the abstract example of some output file Out that is produced out of an intermediate file InterM that itself is generated from some input file In (see Figure 1). If In is changed make will reproduce InterM and finally Out. But if you only tweak InterM you don't want it to be overidden by the output of In. Make will not do that unless In is newer than InterM (i.e. was changed after you tweaked with InterM).

We will take a short look at an example from the real-world of LaTeX. LaTeX is a typesetting system that produces nicely typeset postscript-files or PDF-files out of files containing the text in a special markup language. Assume that your LaTeX file sample.tex includes two postscript (ps) figures like Figure 1 and 2 (get the tarball of the example here). These postscript files are generated from two description files by a software called graphviz.

To compile sample.tex you typically type

dot -Tps -o figure1.ps figure1.dot   # to produce Figure 1
dot -Tps -o figure2.ps figure2.dot   # to produce Figure 2
latex sample.tex                     # to compile using latex
dvips -o sample.ps sample.dvi        # to generate a postscript-file

While editing your document, you have to type the above over and over again. This is tedious and error-prone. You may easily forget to run dot after changing the figures or even forget what commands to use if you do not edit the text for a while. You may put the above in a shellscript, but then you have to add every figure to your shellscript and if you process a lot of figures it might take much longer than needed to compile your file, since all the figures are generated everytime you run your
shellscript.

Make solves both of these problems. Figure 2 illustrates the dependencies of the files. The information which file depends on which and how to produce one from the other is stored in a so called Makefile. For our case it might look like this:

FIGURES=figure1.ps figure2.ps

all: sample.ps                      # first rule

sample.dvi: sample.tex $(FIGURES)   # second rule
 latex sample.tex

%.ps:%.dot                          # third rule
 dot -Grankdir=LR -Tps -o $@ $<

%.ps:%.dvi                          # fourth rule
 dvips -o $@ $<

Figure 2:If make detects a change of a file (here the green figure1.dot) it rebuilds all parents that depend on it (here all red nodes).

So what does this mean?

• The first line defines a variable FIGURES. If you want to include another figure in your build-process all you have to do is add it here.
• The second paragraph is called a rule (we will refer to it as first rule). It requests make to produce the left output (here:all) out of the right input (here: sample.ps). For reasons that will become clear later, we do not tell make how to produce "all". Everything behind a hash # is a comment.
• In the second rule the output depends on sample.tex and the figures. Note that the variable FIGURES has to be preceeded by a dollar sing and embraced by brackets. To fullfill this rule make has to run latex. We tell it to do so by a line starting with a tab (here marked as ""; it is a very common beginners error to use spaces instead of tabs!). So whenever the dependencies are fullfilled but sample.dvi is not up to date, make will run latex sample.tex.
• The third and fourth rule tell make how to produce a ps-file out of a dot-file or a dvi-file. The percentage sign % is a wildcard character (similar to * in the shell). The special variable $@ contains the target of the rule (the filename, which matches the left side) while $< contains the source or dependency of the rule (the right side).

If you type make, the Makefile in the current directory will be scanned. Without any further arguments make will try to build the target of the first rule in the Makefile that is -in our case- all. The target all depends on sample.ps that itself can be build from
sample.dvi by the last rule (%.ps:%.dvi).
To build sample.dvi, make needs to invoke the second rule, but first it must meet its dependencys: the figures. The third rule tells make how to produce the figures and the dependacy is met since the dot-files exist. Once the ps-files are produced, the dependencys of the second rule are fullfilled and make invokes latex to produce sample.dvi that is then converted by the fourth rule to produce sample.ps. Now make stops, since there is nothing to do for all (this is called a phony target).

If you run make again it will not do much but just say:

make: Nothing to be done for `all'.

Now change something in figure1.dot and run make another time. This time make will rebuild figure1.ps, sample.dvi and sample.ps to incorporate your changes (see Figure 2).

Target Users:

Everyone who uses the command line to mangle several input files into some output files.

Further reading:

• The GNU Make Manual.
• There are plenty of make-tutorials on the internet although very few focus on non-programmers.
• An example of a sophisticated Makefile for LaTeX.
• TeXFAQ about make

Other packages doing similar things:

• mktex is a special tool that might be a handy replacement of make if you're only focused on LaTeX.
• There exist many other buildtools avoiding some of make's flaws.

You can find the most recent version of GNU make at ftp://ftp.gnu.org/gnu/make/.

Make is available for Debian and Ubuntu (and any other Linux-distribution).

my_str = "MyClass"
my_instance = my_str.constantize.new

So how would you do this in python? We could just use the eval-function:

import inspect, re

ClassRegex = re.compile("[a-zA-Z_][a-zA-Z0-9_]*")

class ConstantizeException(Exception):
  pass

def constantize(s):
  if not ClassRegex.match(s):
    raise ConstantizeException("`%s' contains illegal characters." % str(s))
  klass = eval(str(s))
  if not inspect.isclass(klass): raise ConstantizeException("`%s' does not refer to a class." % str(s))
  return klass

Compare it to the ruby implementation:

  def constantize(camel_cased_word)
    unless /\A(?:::)?([A-Z]\w*(?:::[A-Z]\w*)*)\z/ =~ camel_cased_word
      raise NameError, "#{camel_cased_word.inspect} is not a valid constant name!"
    end

    Object.module_eval("::#{$1}", __FILE__, __LINE__)
  end

So let's try it:

>>> class A:
...   def __repr__(self):
...     return "I'm A."
...
>>> klass=constantize("A")
>>> instance_of_a = klass()
>>> instance_of_a
I'm A.

Seems to work. The syntax is not as nice as in rails, since we can't just monkey patch the string class.

Security

As noted in another post constantize is prone to code injections. We have two protections built in. The regular expression makes sure that eval does not execute arbitrary code while the inspect.isclass insures that only classes are constantized. Otherwise also functions could be returned:

>>> def somefunc():
...   print "called somefunc"
...
>>> klass=constantize("somefunc")
Traceback (most recent call last):
  File "", line 1, in 
  File "", line 5, in constantize
__main__.ConstantizeException: `somefunc' does not refer to a class.

It would be still reckless to use the above constantize on possibly malicious data.

You need to strongly limit the strings that your application may constantize. A straight forward solution would be:

s = "MyClass"
if s in ["MyClass", "SomeOtherNiceClass"]: klass = constantize(s)
else: raise "Unexpected class `%s' " % s

How should you do it?

But then why don't you use some completely differrent method from the very begining? What about a dictionary?

class A:
  def __repr__(self):
    return "I'm A."

class B:
  def __repr__(self):
    return "I'm B."

str2class = { "A": A, "B": B }

It is very easy to see which classes are allowed to be constantized and there is no room for security issues in your python code:

>>> str2class = { "A":A, "B":B }
>>> s = "A"
>>> klass = str2class[s]
>>> a = klass()
>>> a
I'm A.

A nice side effect is the improved execution speed:

>>>> import timeit
>>> t=timeit.Timer("""a=constantize("A")""","from __main__ import constantize")
>>> print t.timeit()
18.7163159847
>>>
>>> t=timeit.Timer("""a=str2class["A"]""","from __main__ import str2class")
>>> print t.timeit()
0.148332118988

If you are lazy you can use the following function to fill your dictionary:

def build_str2class(lst):
  d = {}
  for klass in lst:
    d[klass.__name__]=klass
  return d

str2class = build_str2class([A,B])

Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.

Using the method described below is no silver bullet and has some issues:

• Your user passwords may be weak.
• If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
• Changing the password requires to log in as root.
• Some programs (e.g. qmail) rely on an accessible home directory.
• The home may stay mounted after logout until the next reboot.

Prequisites

• GNU Linux (Ubuntu 8.04 Hardy Heron)
• TrueCrypt (I used 6.0a)
• pam_mount.so (for Ubuntu install the package libpam-mount)

Setup

We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:

mkdir /home/private

For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you'll get a graphical user interface).

root@mybox:~# truecrypt --create /home/private/bart.tc
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G

Encryption algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) AES-Twofish
 5) AES-Twofish-Serpent
 6) Serpent-AES
 7) Serpent-Twofish-AES
 8 ) Twofish-Serpent
Select [1]: 1

Hash algorithm:
 1) RIPEMD-160
 2) SHA-512
 3) Whirlpool
Select [1]: 1

Filesystem:
 1) FAT
 2) None
Select [1]: 2

Enter password: *************
WARNING: Short passwords are easy to crack using brute force techniques!

We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y

Re-enter password:*************

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:
dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag....

Done: 100.000%  Speed: 18.0 MB/s  Left: 0 s

The TrueCrypt volume has been successfully created.

Then we assign the same password as the login password to bart:

root@mybox:~# passwd bart
Enter new UNIX password:
Retype new UNIX password:

Next, we need to format the encrypted partition and move the old home directory into it:

root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc
Enter password for /home/hgerlach/newcrypt.tc: *************
Enter keyfile [none]:
Protect hidden volume? (y=Yes/n=No) [No]:

root@mybox:~#  truecrypt --text -l
1: /home/private/bart.tc /dev/mapper/truecrypt1 -

root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1
root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/
root@mybox:~# shopt -s dotglob #make dotfiles visible
root@mybox:~# mv /home/bart/* /mnt/
root@mybox:~# chown bart.users /mnt/
root@mybox:~# umount /mnt
root@mybox:~# truecrypt -d /dev/mapper/truecrypt1

Now we have to configure mount_pam.
In '/etc/security/pam_mount.conf.xml' edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
into
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use truecrypt-nl instead of truecrypt. This is a shellscript, that we have to put into '/usr/bin/':

#!/bin/sh
# This is /usr/bin/truecrpyt-nl; append a newline to the password.
(cat; echo)| truecrypt $*

It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.

To the file '/etc/pam.d/common-auth' we add the line:
auth optional pam_mount.so try_first_pass
so it looks like

# /etc/pam.d/common-auth
auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate missingok
auth    optional        pam_mount.so try_first_pass

and to '/etc/pam.d/common-session' we add the line
session optional pam_mount.so
so it looks like

# /etc/pam.d/common-session
session required        pam_unix.so
session optional        pam_mount.so

Now bart can login and use the encrypted home.

Bibliography

• Homepage of pam_mount
• A good description of pam (in german)
• A similar howto for LUKS and Gentoo
  

If you want to turn a string into the corresponding class, you could just use eval:

  irb(main):001:0> s="Float"
  => "Float"
  irb(main):002:0> klass= eval(s)
  => Float

But everybody knows that this is dangerous since you can embed arbitrary ruby-code into the string which might do nasty things to your system. Rails defines the String#constantize method which is less dangerous. But it is not save by any means. Consider the following controller:

  def vulnerable_basic_data_new
     klass=params[:class]
     obj=klass.constantize.new(params[:form])
     #...
  end

The class parameter is supposed to be Guest, User or Admin. The posted form is supposed to contain a hash of data that initializes the common attributes of them. Using routes we could call http://myapp/vulnerable_basic_data_new/User/. That's nice. A google search reveals that quite a lot of people write code like above.

http://www.theartofrails.com/hello-world/

But wait! What happens if we open http://myapp/vulnerable_basic_data_new/AnyClass/?form=somestring? Then the application will execute AnyClass.new "somestring" (if AnyClass exists). We just injected a class into the application that the programmer didn't expect. A lazy programmer might argue that an attacker cannot control the method that is called, just the class. It is true, that the usual methods new and find don't sound too dangerous. But what if we called create? And don't forget that we can call any class that is installed on the system. Thanks to rails autoloading capabilities. So if you accidently installed MiniMagick which happens to have security issue right now in version 1.2.3, we can exploit it:
http://myapp/vulnerable_basic_data_new/MiniMagic::Image/?form=-%20%7C%20xclock.

This will execute MiniMagic::Image.new("- | xclock") which will launch a nice xclock on your server. We could have done worse…. Ooooops!

So we should constantize with care. For example, we could use the following method:

class String
  def constantize_with_care(list_of_klasses=[])
    list_of_klasses.each do |klass|
      return self.constantize if self == klass.to_s
    end
    raise "I'm not allowed to constantize #{self}!"
  end
end

And rewrite above controller code to:

  def vulnerable_basic_data_new
     klass=params[:class]
     obj=klass.constantize_with_care([Guest,User,Admin]).new(params[:form])
     #...
  end

There is a even more sopphisticated constantize_with_care plugin that you can download to use in your own projects.

P.S. In the above google search, I found a single person (Michael Schuerig) warning that using constantize carelessly is dangerous and a single project that tries to protect against class injection. Their safe_to_instantiate? makes me think about checking for class relationships in constantize_with_care too.

Update:
I have to apologize to Lisa Seelye. She constantizes params[:controller] which should be sanitized by the routing to contain only very few, save possibilites. At least as long as she does not create a MiniMagickController.

Update: I also have some notes on Constantize in Python.