Thursday, April 24, 2014

Debian wheezy & umask for sftp

There are a lot of conflicting and incomplete postings on the web about how to get the simple task of giving sftp (only) users a reasonable umask.

Now in Debian wheezy (and probably any box running OpenSSH >= 5.5), the solution is very simple:


So as you see, the trick is to add the -u switch not to the global "Subsystem sftp" configuration (as seen on many tutorials in the web), but instead you can give a different -u setting for each "ForceCommand" line.

Wednesday, March 12, 2014

unwanted http:// to https:// rewrites in Firefox

HTTPS is a good thing, especially in times of Big Brother watching every byte you send over the wires.

That must be the reason why Firefox tries to be very smart and automatically remembers, if you've once visited a site using HTTPS and automatically redirects you to it.

So far, so good. This becomes a problem however, if you have to deal with sites during their development time, where the development site might have had HTTPS access at some point in the past, but not anymore.

What happens then, is really annoying - imagine the following szenario:

you have a test site running like this:

https://thetest.example.com:34567/

Now if you ever entered this URL into Firefox, it permanently remembers, that host "thetest.example.com" plus port "34567" means HTTPS.

 If at a later point in development you turn off HTTPS support on that port and enter

http://thetest.example.com:34567/

into Firefox'es address bar, it immediately mangles the URL to https://thetest.example.com:34567/ - without even trying to make an HTTP connect.

I tried private mode, I tried safe mode, I deleted any cookies I found and any offline data stored, but no luck.

Now, after some googling (long enough to make me think writing this post about :) I finally found the solution.

Open the history, right click the site and choose "Forget About This Site":

Firefox - Forget About This Site

And that should be it, hopefully :)

note: this happens on Firefox 27.0, so this has nothing to do with bug reports for older versions of Firefox.

Tuesday, March 4, 2014

[repost] Howto Exclude Files From Wildcard Matches In bash

preface: This is a repost of an article I wrote more than ten years ago on our company homepage. Despite its age, the page still receives huge amounts of traffic and so I am reposting it here on my blog because the original article will vanish from our official company homepage soon.

Imagine you have a directory that contains several hundreds of files and for what reason ever you want to list all files in this directory except one or even worse a couple of them.

This sounds easy, but actually isn't. Let me illustrate the situation:
  Now say I want to get a listing of all files except confidential.txt. Of course, one could use sed or grep to do this but this is too much overhead as I don't want to waste resources.

There are a couple of solutions all with certain drawbacks:
  •  Solution #1 - bad:
The expected result. But this version only works, if you have no more than one file starting with 'c' in the directory. Otherwise all files starting with a 'c' will be omitted. On the other hand, this can be used for any command that uses file globbing (such as cp and mv).
  •  Solution #2 - not so bad:
This gives us exactly the expected result. But however, this solution is bound to ls. If you want to do the same for cp or mv, you're stuck again, because those commands have no idea of the --ignore switch.
  •  Solution #3 - good:
This turns on bash'es extended globbing features (shopt -s extglob) and as a result you can use !(something) to exclude "something" from a file globbing operation, which is used by any command that uses wildcards (such as cp and mv again).

You may have noticed that '!' now has a different meaning (it is normally used to repeat old commands), which is its only drawback.
  •  Solution #4 - the best, IMHO:
GLOBIGNORE is a shell variable that allows to define certain patterns to identify things we don't want to be displayed whenever wildcards are used. So if I said "GLOBIGNORE="*secret*", secret.txt and top_secret.txt would not have been listed. And this is my™ favourite.

Monday, March 3, 2014

[repost] How To Repair Corrupt tar Archives

preface: This is a repost of an article I wrote more than ten years ago on our company homepage. Despite its age, the page still receives huge amounts of traffic and so I am reposting it here on my blog because the original article will vanish from our official company homepage soon.

Every sysadmin's nightmare: You made a backup of important files using tar and for whatever reason you need to restore the files - but find the tar archive broken.

This thing happened to me once (and hopefully never again) and it took me quite a very long time to get the data back (or at least the useable part of it).

Before we start, some assumptions to make things clear:
  • tar is GNU-tar
  • your archive has been bzip2 compressed
    (although the compression type is secondary)
  • you have the tar-file ready on some accessible place
(GNU-)tar itself has some options that claim to be suitable for recovering data from lost (you'll understand the sarcasm here if you read on ...). So let's first check what the problem is:
  Now this indicates that I should use bzip2recover "to *attempt* to recover data from undamaged sections. Well, doesn't sound too bad, does it?

So I used bzip2recover:
  That way at least something happened. Depending on the size of the archive, bzip2recover produces a nice amount small 'rec*' files (typically 900K in size) which represent the default blocksize bzip2 uses per default for compression. The "nice amount of small files" however is likely to become a "huge amount of small files" if your archive is big - like mine was.

The archive I had to deal with was more than 200MB big, leaving me with several hundrets(!) of those "small files". But still I was optimistic that I could retrieve the data from the small files by finding the corrupted files. So I tried to find out, which of the small files was corrupted and which ones were good:
  bunzip2 stops when it finds the first (and hopefully last) corrupted file, which is exactly what I wanted to know. Krush kill and destroy: No use for a corrupt file and so I deleted it and repeated the above command plus the deletion for all further bad files. The only important thing is to remember the number of the deleted files.

So now I thought it would be easy: use tar on the bunzip'ed files, but I was taught otherwise. Say that rec00199 was the first (and last) corrupted file, so starting at rec00200:
  Headache time ... I could also try it with any of the >200 remaining allegedly "fixed" files, but always got the same error. Searches in google and postings in some mailinglists did not provide me with any useful results and my headeache grew.

Tar claims to have the feature to scan even corrupt files for tar headers in it but this feature has one major blemish: It only works, if no bytes are lost in the file because tar scans expects file headers to be 512 bytes in size. If only one byte is lost in such a header (or a following data block), this "recovery feature" fails and becomes an annoyance.

Luck returned a couple of weeks later when I received an email from a nice guy that had written a nice perl script that really searched a file for a tar header bytewise and not in the 512 bytes manner of tar itself. You can download it from here.

In order to get things working, I joined the second part of the bunzip'ed files (the ones after the bad rec00199):
  The command above joins all files starting at rec00200 up to rec004999 together in good_tail.jar.

And now the only thing I had to do was to use the script below to find the position of the first good tar header in good_tail.tar:
  The only thing that matters is the first line of the output, it tells that the first good tar header in good_tail.tar is at position 17185. What remained was to extract the content starting at this position and then untar it:
  Happy end of the story!

sidenode: blogspot is a pain in the ass when it comes to using formatted text in posts. Having to abuse gists for such a trivial thing is a joke in the year 2014!

Sunday, November 24, 2013

factory reset a Canon MF8330cdn


In a perfect world, you buy things, you work with those things and if they break, you can repair them.

In reality, hardware vendors in particular make it quite difficult to repair things.

I met one of those issues today. After playing with my network infrastructure at home, it needed to adjust the network settings of my SOHO Canon i-sensys MF8330cdn printer that has been serving my family good - so far.

For reasons unknown, I was not able to change any settings because I was always asked for a completely unknown username & password. I am 100% sure that I never entered such a password before and as it seems, Canon made it particulary difficult finding out how to factory reset the printer.

After a long search and after even purchasing the service manual in order to find a clue how to reset the device, I finally was able to resolve the riddle:

service mode = password reset

  1. enter the "Service Mode" by pressing "menu 2 8 menu"
  2. go to COPIER->FUNCTION->CLEAR->ALL
  3. power off the printer and power it on again

the "menu" button is the one with the asterisk in the head


After that procedure, you will have an almost vanilla printer, with many (but not all) counters reset to 0 and all passwords removed.

only English & Japanese in UI

That however, had a strange sideffect. Now I can only choose between English and Japanese as the UI language, so beware if English causes issues for you or the rest of your users :)

From what I have read, this also works for some newer models (in particular MF8380).

Tuesday, August 20, 2013

PRISM and the damage done

source: wikipedia

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Article 12 of the UN Universal Declaration of Human Rights
PRISM is everywhere. Marc Snowden has done humanity - yes, humanity! -  a big favour unveiling this massive and unlawful intrusion of privacy by the US and, under different names, by a couple of other nations around the globe.
 

the NSA is not one of the "the good guys"

Each day we hear the NSA telling the American people that their constitutional rights have not been violated and everything is only in order to protect them from the evil dangers of terrorism. So, at least according to the NSA, American citizens can be happy. But what about the rest of the world, what about really close allies such as the countries of the European Union?

Who can ever call mass surveillance of European communication by the NSA (and others) legitimate?

Who can ever call NSA's spying on European governments and even the European Commission itself legitimate?

Even if this may be legal in terms of US law, I as an European citizen give a damn shit about US laws - sorry. The only reason for spying on our very own governments is espionage, nothing more.

And what right does the NSA or even worse, the British GCHQ have to spy on my very own communications? The British Government is especially spying on its European neighbours, on the basis of what laws and for what purposes? To protect British people from evil terrorist attacks it is necessary to spy on every phone call I have made or every email I may have sent?

incomparable to "cold war" times

Sometimes, even in Europe, people tell you that we been surveilled for a long time, mostly starting with the cold war area and so the news about PRISM isn't really "news". But that is simply not true.

Even if every phone call and every telegram had really been monitored then, that covered only a very small amount of people's real lifes.

In time where hundreds of millions of people are globally using social media and massively use cloud storage to backup their personal data like photos, things have changed. Now you have access to almost every aspect of ordinary people's lifes.

And no, the answer is not to say: then don't use social media and cloud store, the answer must be: stop spying on private data! And stop claiming that this has anything to do with "terrorist threats"!

NSA and GCHQ are truly poisoning relations

The extend of the surveillance is just beyond imagination and beyond anything that can be used as an acceptable excuse or exception.

The outcome of this all is dramatically increased mistrust towards countries that a huge part of European "educated people" formally regarded as trustworthy. Even though we all "knew" that secret agencies were doing things in some legal limbo, no one could - and wanted - to imagine the unveiled extends of their operations.

And I cannot help but to see the emerging of a truely global surveillance system, operated and controlled by only a very small number of people from an ever smaller number of countries. The terminus technicus for such a system is "police state", where freedom is the exception and not the rule.

How European governments profit from PRISM

Due to legal and political concerns, I guess it would be quite impossible to implement a national or pan-European surveillance system without an outcry of the civil society.

So what is the solution? Let others spy for you! Usually, national security agencies are restricted from spying on nationals (like the NSA). So what's more logic than gaining the wanted data from other nations' friendly agencies?

Europeans must stand up

I guess, every politically and technically interested European has understood quite well now, what is really going on. Conspiracy theories that one could laugh about before, have become reality.

One can not thank Marc Snowden enough for providing the actual evidence.

It's a real shame that Europe practically refuses asylum for Snowden, hiding behind absurd formalities of asylum laws.

As both an European citizen and entrepreneur, I have highest interest that my and my companies' data is as secure from being spied upon as possible.

And so I think that it is high time to create truly European Union infrastructures, under the sole control of European Union legislation, a "European web of trust", so to speak.

That can only be achieved with the participation of the European civil society and European companies and certainly not behind closed doors.

Conclusion

During this summer's vaccation, I reread George Orwells "1984" [1], that he published in 1949(!). I can only recommend the book to anyone else. The NSA's resemblance with the "Ministry of Love" is stunning, both in the ways what they do but also how they justify their deeds.

I am not too positive that the so called "mass" of people will actually stand up and shout "stop this!". Not because they don't care but more because they consider it inevitable and maybe even necessary.

But I am somewhat optimistic, that "well educated" people, companies and organizations in Europe, or to be more precise, the European Union will stand together. Signs of that are already recognizable.

[1] downloadable version of George Orwell's "1984"

Saturday, June 29, 2013

Goodbye Google Chrome, welcome Firefox

After having used Google Chrome for quite a long time, I now decided to quit it's usage wherever possible. That is all the computers I regularly work on and of course my mobile devices.

While I had originally been a fellow user of Firefox and its predecessors, I decided to move to Google Chrome mostly because its Linux support was much better in terms of "new" standards (WebGL, CSS3, ...) and in terms of performance.

Now, PRISM and Tempora have been unveilled and one can only speculate, how many other countries have similar Tier-1 programs to spy out anything and everything that happens in the internet.

What has this to do with Google's Chrome browser, you might ask. The explanation is simple: The confidence that I had in Google's browser has declined much, because some parts of the browser are not open source.

There have been so many speculations about the NSA or other agencies having built in back-doors into various pieces of software, ranging from Microsoft Windows to Internet browsers. Without software being fully open source, I cannot be sure that my very human right for privacy is safe before those self -proclaimed "protectors" of the "free world" (that is typically reduced to only a few countries).

In terms of pure usability, Firefox has improved at least a bit on Linux as well. It is still not as fast as Google Chrome, but I rather live with that than being monitored by some jerks.