Thursday, June 24, 2010

Opening Terminal with preset size / fixed geometry

There are many different terminal programs for Linux, and they all have some similar features.

I am familiar with Gnome terminal and Konsole, but choose Xfce terminal because I feel it is a closer match to my needs.


Opening Terminal with a fixed geometry:

--geometry=160x50

( Geometry in this context means the number of rows and columns )

The geometry I have given looks good on a 24" screen but smaller screen sizes might want to experiment with any of the following:

  • --geometry=80x24
  • --geometry=80x30
  • --geometry=80x40
In full you might enter something like the following in a panel item/command launcher:
'/usr/bin/xfce4-terminal' --geometry=80x24

Or for something that is more generic*, perhaps...
xfce4-terminal --geometry=80x24

*Depending on your Linux system, xfce4-terminal might alternatively be in /usr/local/bin/ or /opt/local/bin/

*The single quoting (') in command launchers, is something I see in Xfce, but do not recall seeing elsewhere.






Opening Terminal with fixed location:

For xfce4-terminal, I was able to set a default position by editing MiscDefaultGeometry in the file ~/.config/Terminal/terminalrc as shown in this diff:


To tell xfce4-terminal to have a default geometry of 160x50 and a default position of 150 pixels from the left, and 0 pixels from the top use:


MiscDefaultGeometry=160x50+150+0


Xfce Program Launchers:

In Xfce adding a 'New Item' to a panel brings up a selection list with 'Launcher' as the first entry.

Selecting 'Launcher' will bring up a screen like the following:



Here is one that my system has (and it uses exo-open):



The Command field contains:

exo-open --launch TerminalEmulator

...and there is no mention of xfce4-terminal (explanation later)

Here is the Launcher that I created for the Midori web browser:


Use startup notification (quoted directly from Xfce manual):
... means that the window manager can show an hourglass while the program is loading
( You might want to tick 'Use startup notification' on older systems with significant startup times )


What is this exo-open --launch about?:

Xfce has a 'preferred applications' system. It allows you to select your preferred application in 3 categories WebBrowser, MailReader, TerminalEmulator


I repeat again directly from the manpage for clarity:
--launch category parameters...
           Launch the preferred application for the given category with the optional parameters..., where category is either WebBrowser, MailReader or TerminalEmulator.

This preferred applications system is a bit like Debian update-alternatives but specifically for desktop preferences. Here is the control screen if you want to have a tinker with it:



...and the 'Utilities' tab now:


If you have not bothered setting your preferences, or want to bypass the preferences and simply call a particular browser, then there is no need then to bother with exo-open


Mnemonics - convenient or not - you decide:

If you find that commands/menu are being selected by mistake in your Terminal, it could be, that you have Mnemonics in GTK enabled and might prefer to switch them off.

ShortcutsNoMnemonics=TRUE

To read more about GTK and Mnemonics try this link.

The file ~/.config/Terminal/terminalrc is where you would set ShortcutsNoMnemonics

(This is an xfce4-terminal specific configuration option, I am sure there are ways of achieving the same in Gnome Terminal or similar )


Making changes to ~/.config/Terminal/terminalrc and future upgrades:

When upgrading your system to a new Linux release, it may be that a newer version of xfce4-terminal chokes on your terminalrc file ( It has happened to me in upgrading Ubuntu desktops )

Symptom: clicking xfce4-terminal launcher briefly flashes up the terminal but then it disappears

Solution: remove ~/.config/Terminal/terminalrc and retry


Gnome Terminal and Konsole:

Both of these terminal programs work well, and it may be that these are your favourite programs.

The great thing about weblogs is that anyone can write an article expounding their favourite Terminal program.

Rather than tell me how much better Gnome Terminal or Konsole are in your eyes, please instead write an article yourself and if you link to this article in it's comments, then I will happily reciprocate :)


Further reading and links:

Xfce4 manual section on Launchers (version 4.0 of Xfce)


Final tip for people who are wanting to remove Preferred Applications they may have set:


Setting a MailReader in Preferred Applications generates a file at...

~/.local/share/xfce4/helpers/custom-MailReader.desktop

If you no longer want any Preferred Application set for MailReader then perhaps...
...remove the custom-MailReader.desktop file.

Saturday, June 5, 2010

Password caching during desktop startup

The first time your desktop startup shows you a message like this:


...it can, maybe have you wondering about, how secure your desktop really is.

The message 'Granted permissions without asking for password' is not too serious when the explanation is read in full, but it does grab your attention :)

What is happening is that an authentication password you have entered has been cached, and is now being reused.


The output above shows an example of what is happening in the background. It shows gksudo being called with the message "Wicd needs to access your computer's network cards", but instead of showing you the message, your system is taking advantage of a cached sudo password ( -p GNOME_SUDO_PASS )

This is designed to add some convenience to your desktop, but does not suit everyone.

Now some might shout 'security risk' or 'insecure desktop', but as with most things Linux, it can always be changed to suit individual needs (see next section)

timestamp_timeout of /etc/sudoers:

If you feel the sudo password caching is too much for your taste then
you can enter your own preference in the file /etc/sudoers



Setting timestamp_timeout=1 will ensure passwords are only cached for a minute.

The screenshot above does not show me actually making the change, but rather I provide examples of how the relevant line in /etc/sudoers should appear.

The first line beginning Defaults, is how thing are right now. Sudo is using the default caching time (15 minutes or 5 minutes according to various forum postings )

The last line shows how the line in /etc/sudoers should look in order to have 1 minute caching.

The guide here shows you how to use sudo -K to empty out a cached password
( helpful if you are about to walk away from a shared desktop machine )

There are several guides to walk you through the editing of /etc/sudoers, they tend to be editor specific and here is one for vi fans.

Although the command itself is named visudo, you can use update-alternatives command to have emacs editing as follows:

update-alternatives --config editor

( pick the number corresponding to emacs, and you have emacs editing of sudoers next time you run visudo )

Nvidia 7025 onboard graphics - a less supported chipset

My 5 year old motherboard has been progressively failing over the last year (usb got twitchy, then intermittent memory errors) it was time to replace things.

I wanted something cheap and cheerful, until (hopefully) I can move to an X6 machine next year.

The Asrock N68C-S motherboard, at £30, is cheap and cheerful with one important drawback - the onboard graphics uses a little known GeForce 7025.

( I don't know how many AMD processor motherboards use Nvidia onboard, but I suspect most are Ati chipsets )

The graphics problems is not an issue for me as I was planning to use a spare PCIE Ati 3450 anyway, but I tried the onboard regardless just to see how it fared.

The manual says Chipset is Nvidia GeForce 7025 / nForce 630a on this motherboard.

I did get a working display but the resolution 800x600 is far from workable.

This message from the NV driver is probably important:
    "(--) NV(0): Chipset: "Unknown NVIDIA chipset"

A full Xorg output file is available in this directory (labelled unknownNvidiaChipsetMessage.log)

In fairness, I am using this motherboard with Debian Squeeze (unreleased), but trying it with Ubuntu Lucid didn't give great results either.

Ubuntu Lucid uses the Nouveau driver rather than the older NV driver by default.


If you have already bought this motherboard and are wrestling with getting it to work with Ubuntu Lucid, then it may be that, neither the newer Nouveau driver or the older NV driver give results :(

If you are stuck with GeForce 7025 and do not want to shell out for a PCIE graphics card, then, it may be worth bookmarking the Nouveau project project page, to keep up to date with any news on GeForce 7xxx support.

Here is the current list of supported devices for Nouveau:
     http://nouveau.freedesktop.org/wiki/FeatureMatrix

If you are interested in how the PCIE Ati 3450 setup went, then there is an article here. The article finishes with a working 2D display at full 1920x1200 resolution (radeon driver), which is adequate for my business desktop.

Having already complimented the Asrock N68C-S motherboard on it's affordability, I should add that it does have one more useful feature...DDR2 and DDR3 memory slots. This is a practical board, for those self build types who (like me) have a mix of older and newer machines, just ensure you have a spare PCIE graphics card to hand before you decide to buy.

Friday, June 4, 2010

html5 sandbox tag - good defense against clickjacking

Before diving into the sandbox tag, a quick two question quiz.

iframe (the source of clickjacking attacks) was invented by?
  1. Thomas Edison
  2. Microsoft
  3. Apple, it's their new name for a digital photo frame
Where can you use markup like <iframe security="restricted">?
  1. CERN
  2. IE Browser
  3. Everywhere today.
(2) is the correct answer for both.

The SECURITY=restricted tag is something only IE supports, and adoption has been very low among website developers (4 sites out of 10,000 surveyed apparently)

The most high profile clickjacking technique currently, is a Facebook trick, whereby the baddie uses a cleverly crafted iframe to trick you into 'liking' something.

The result can be considered a social hack, whereby other users might feel more trusting of something, based on your (bogus) recommendation.

If you care about your online reputation, then you should at least have an awareness of such techniques.

Rather than singling out Facebook, it might be proper to report that Twitter had the "Don't click" annoyance which is documented in detail here. Twitter responded to this issue and it quickly disappeared.









html5 iframe tag extended to sandbox with src attribute:

<iframe sandbox="allow-same-origin" src="http://somesite.com/embedme.html"><iframe>

<iframe sandbox="allow-same-origin allow-scripts" src="http://somesite.com/embedme.html"><iframe>

A new Mime type text/html-sandboxed
has been specified which is used in partnership with the sandbox attribute so that:

  • The sandbox attribute tells you what type of secure browser environment should be created before rendering the content
  • The  text/html-sandboxed type indicates that this content being delivered from the server is  subject to some sandboxing.
  • The  text/html-sandboxed type indicates that the content is other than regular unsandboxed html, and should not be served directly, but only within a sandboxed iframe.


Here I quote directly from Eitan Adler article ( blog.whatwg.org )
So it’s a security feature. You could restrict an advertising iframe to have no privileges whatsoever, but you could give a widget iframe privileges to execute its own scripts or embed its own forms.

You could argue that this sandbox marker in html5 is not too different to the (IE only) security=restricted thing. The important thing, is that, being part of a formal, company independent standard, should encourage website developers to feel that they are more likely to get some return from their time, in implementing it on their site.

There is much more to the html5 proposal than a 'restricted' equivalent and many more details are shown at the links below.




iframe sandbox - current and planned implementations:

Chrome and Safari have taken the lead here as being webkit based, they
both have rendering engines with a sandbox implementation.

Some details on the Chromium blog

Opera:
sandbox tag support status - Opera

Firefox:

Mozilla seem to have dropped the ball a bit here. They are so busy implementing 64 bit versions of their software and other priorities that they seem to have missed the boat.
Mozilla Firefox is my preferred browser, but I feel it is being held back at the moment by:

  • The fact that the NoScript plugin is so effective.
  • Confusion by having the term sandbox already applied to isolation of plugins. ( I think of that sandbox as a stability feature but the two are sometimes confused )

( Whilst NoScript is a convenient solution right now, it would be good to have official inbuilt support commitment from Mozilla folks regarding sandbox attribute of iframe )


I think it will be a mistake if Mozilla decide to ship Firefox 3.7 without support for iframe sandbox tag.

There is a test script here to report on whether you browser supports html5 sandbox tag.

I ran the test script for my system (Debian Squeeze) and both Midori and Epiphany report success \o/

Opera on my system has just been updated but reports a fail (Opera version



The test script link (above) returns this message from Opera:




Alternative approaches that involve headers:

My personal opinion here is that these are a mistake, it is a nonsense approach to have a webserver header to fix this problem. Better to remove iframes altogether from the html standard, rather than be prescriptive about which web server software is 'good' and 'bad' based on out of the box ability to serve these headers.

There are millions and millions of websites out there that pay for shared hosting setups. Suggesting these servers are all reviewed to protect a bit of reputation on Facebook is backward.

Yes, most of these servers (54%) run the same software (Apache) but it would take years to effect the change.

( It is my personal opinion that using meta headers in web site pages to 'simulate' http headers, is something that should be disabled on servers that are proactive about security. )


If Twitter can fix "Don't click" by making some intelligent changes to their site, then Facebook, who are arguably much better funded, can be expected to do the same.

For completeness here are some links to approaches that involve server headers:
A further argument against the server headers approach is that it is all or nothing, which could cause problems with existing users of NoScript plugin (see last paragraph). This would mean that in order to solve one problem (clickjacking), you remove the defenses (NoScript) against another problem.

There are some who suggest there is little to consider and suggest implementing X-FRAME-OPTIONS on the server side, like the views in this article.

Having worked in ISP and hosting environments where thousands of small business host on the same web server, I think the blanket rewriting/header insertion suggestion is naive at best, and the trigger for a disruption to business lawsuit at worst.
( Many businesses rely on their sites being accessible cross browser, and some like the ability to publish their own embeddable content (documents, whatever) on sites they pay hosting for. If removed or affected, without notice this might cause some consternation )

( Should a business themselves choose to move a business site to their own servers, and activate some global http headers, then that is their choice, and their would be no legal repercussions on shared hosting providers. )

With regard to marking their embeddable content with new mime type  text/html-sandboxed , this is something the business themselves could do over a period of time. It would be their choice, and configuring virtual hosts to allow mime type overriding for certain directories, might cause much fewer issues in a shared hosting environment.

In the process, the ISP or hosting company would learn a bit about which of their customers are really taking advantage of the ability to publish embeddable content, and this might help them tailor future service to this new distinction that sandbox in html5 will bring.


Minor annoyances "Are you sure you want to leave this page YES/NO":

Using javascript techniques it is easy to be tricked into leaving a
site for some other (unwanted) destination.

What you should do is ignore the text in the box (if you feel it is suspect) and always reply in the negative (Cancel or No)

If in doubt close your browser.

Installing NoScript plugin for Firefox will help avoid these javascript annoyances.

If you want an indepth discussion about how iframes, can, and have been exploited in the past year then there are a few in depth studies by (links below)
The studies by Gustav Rydstedt give good coverage to the techniques, but fail to survey fully the solution proposals. In particular, making no mention of the Html5 enhancements, in a paper dated only last week, seems to be a unfortunate omission.

Thanks is due to Gustav for making these papers available at all, as they do describe the problem clearly, and I found them very readable.


I want my online documents to be embeddable in my other site:

These type of queries have been cropping up frequently this year.

Should your documents be embeddable by default?
I have my own opinion about this, but I suspect a survey would give mixed results.

googledocs sends X-FRAME-OPTIONS headers in an attempt to indicate to some browsers that they should ignore the document in certain iframe circumstances.
Practical effect today: This blog does not function as it did some months back when viewed from within IE8 :(

Zoho does not implement any server side headers, so should produce similar results in all browsers.

(Unsurprisingly) All documents hosted on a sharepoint server will come with X-FRAME-OPTIONS headers so again the mixed results at the client end.

There are several sharepoint queries floating around in forums, and here are some solutions:

Query: My sharepoint [hosted] document cannot be included my domain2.com site, is there a way round this?

Answer: If you want your documents to be embeddable then make copies on Zoho and embed the zoho links in your pages at domain2.com

Lazy Answer: Do nothing. Only IE8 users are affected, whilst 75% of internet users would see the embedded document just fine.













Rolling back the web - who needs iframes anyway:

There are lots of websites that use iframes, however, that does not mean that
you have to allow them in your browser:



Here is another option you might want to tick in the Options:


and for those not familiar with NoScript extension here is some introductory text from the AddOn description:


NoScript is a free AddOn and is very powerful. It really does offer protection against existing and emerging threats (the developer seems quite quick to respond to new internet exploit reports).

However, there is a whole range of options in NoScript, and it will take you a few hours and some experimentation to get your setup as you want it.

If any of the following apply then getting comfortable with NoScript might prove a challenge:
  • It is your first year of using the internet 
  • You have very little knowledge of the terminology (perhaps not knowing the difference between Java and JavaScript might be an indication)
  • You do not value your online reputation enough to spend a couple of hours trying out NoScript and whitelisting your favourite (non-Facebook) sites*
*You will need all the protection of NoScript until Facebook themselves become more security conscious in how they program the 'like' feature (the thing being exploited right now).
( The knowledge is there for Facebook to mitigate the threat already, but whether they are willing to take some resource away from new online games and Yahoo integration, to fix the issue with 'liked this' hijacking is the real question )


Further reading and links:

When Raid mirroring just won't work - dd to the rescue

Having worked with many businesses on backup procedures, I try to adopt best practice on my own computers.

With this in mind, I have backup copies of entire hard drives which I refresh once or twice a year. This means that in the event of a critical failure, I can quickly grab the backup hard drive and put my main desktop pc back to the state it was in around 6 months ago.
     ( I back up business critical data using additional procedures than those discussed here )

Motherboards tend to have a raid controller, and raid mirroring procedure accessible in BIOS or startup screen.



With a similar sized disk I just select source and mirror and let the motherboard look after creating a backup (one time raid mirror). This always worked until recently* when I had to revert to using dd.


In defense of the 26 hours backup time, this is running dd via a system rescue usb stick on a 5 year old socket 754 motherboard, with SataI rather than SataII maximum throughput. Even so the 15.7 MB/s is shockingly slow, but for a one time job, then maybe that is not such a problem.

*Having bought two matching Samsung F2 1.5TB drives, I was surprised to find the Via onboard raid controller complaining that the drive sizes did not match. I can only assume that a 2005 raid controller, might not, in all cases, be good for properly recognising the huge terrabyte plus disks that we can buy today.



Using dd for Mirroring entire Partitions or Disks:

As demonstrated above, dd will do a job for you if your raid setup refuses to do a source -> mirror copy. Using modern hardware you should expect this to take a few hours.
[ using ancient hardware you will be there all day (literally) ]

If you prefer you can use dd for partition by partition mirroring, perhaps in my screenshot I might have used if=/dev/sda1 of=/dev/sdb1, so as to just copy the first partition.

Note: Doing things partition by partition, can be a bit more tricky, as you need to give thought to the partition structure on your output disk and if necessary create suitable partitions there prior to running dd.

Those who might prefer output to a file might like to consider of=/mnt/hugedisk/partition1.dd as a suitable parameter.

Documention for dd can be found in any of these places*:
  • For Debian and Ubuntu in /usr/share/doc/coreutils/
  • by typing in a terminal the command man dd
  • Manpage on the internet (gnu.org)
*Please make an effort to read the dd documentation above before making any comments on this article asking about how to use dd.

    Thursday, June 3, 2010

    Debian Squeeze - codependencies and circular dependencies

    Running Debian Squeeze on my desktop (before it is released), I find I am taking a closer look at the packages installed and their dependencies.

    It started as an effort to keep a minimal install, but as my desktop use has progressed, at 992 packages, my install is now hardly minimal.

    Package Codependencies:

    Perl (perl and perl-modules) gives a good example of a codependency.

    Here is a comment from a debian bug discussion which explains things somewhat

    The co-dependency between perl and perl-modules is required as these
    are fundamentally one package, split only into arch any/all parts.
    Modules within perl use modules within perl-modules and vice-versa.



    Python does not use this codependencies approach, but does have a package structure that also requires a bit of understanding when you first see it.



    Python (python and python-minimal), seem to be instead, set and subset, with the latter intended on being enough to support the initial install process, whilst not taking too much space on install media.

    These decisions are understandable when you remember that install media has a fixed size.

    ( This bartering, is perhaps similar to when you move house and have to discuss what goes where in the fixed size Ford Transit Luton/U-Haul )


    Python diagram (with a particular leaning towards my install packages):



    It is possible to install python 2.6 to python 3.1 in Squeeze, they are just not the default. There is not much relying on python 3.1 just now, except maybe if you wanted to beta test the latest Blender.

    (Aside: you will find libpython2.6 and libpython3.1 in Squeeze but there is no python 2.5 equivalent)

    Note: All version numbers checked in June 2010 which is likely 6 months or more ahead of Squeeze actual release. Version numbers are subject to change and may not be entirely accurate at and beyond Squeeze final release


    Package circular dependencies:

    libwrap0 and tcpd, on a server, are examples as illustrated by the diagram below:



    When I look at installed packages on servers, I see tcpd and think...how did that get there.

    The answer, of course, is that I have openssh-server installed, and, hopefully the diagram illustrates the rest.

    I use the term 'circular dependencies' very loosely in this posting, as the term 'circular dependency', it could be argued, more properly applies where both packages strictly depend on each other.

    Package confusing dependencies:

    In Squeeze gamin is supposed to be a drop in replacement for fam.

    I use the Thunar file browser and this diagram shows some interesting dependencies:


    seahorse-plugins is something I also use on the desktop and I found it useful to include it in the diagram.

    For libgamin0 to be a drop in replacement for libfam0, there would have to be changes to both of the vfs packages shown, so that either of libgamin0 or libfam0 could be used.

    I think gamin and libgamin0 are also codependencies (as it appears today in aptitude), but the thing that is confusing to me is how I could possibly install gamin.

    My thoughts are that if I try to install gamin or libgamin0 then it will break dependencies higher up :(



    There must be slightly more to it than I thought, because although I received a dpkg complaint, when replacing libfam0 with libgamin0, my system seems to be working without it wanting to remove thunar or seahorse-plugins :)