Wednesday, August 22nd, 2007
Mirrorboard: A one-handed keyboard layout for the lazy.
Do you have a wearable computer? Are you interested in alternate keyboard layouts but too lazy to learn Dvorak? Do you masturbate at your desk? If you answered yes to any of these questions, you may be interested in my custom keyboard layout.
It’s a left-handed mirroring keyboard layout for X11. When you press the caps-lock key, it turns Q into P, A into ;, etc. Nifty.
By the way, read the XKCD comic, or go to hell.
Wednesday, August 22nd, 2007
Gadfly is a SQL Relational Database that supports a large set of the SQL standard. It keeps the database in-memory while operating on it. It’s also completely written in Python (with the use of some Python/C modules). I don’t know why it’s cool, but it is.
Monday, August 20th, 2007
I’m back from Lowlands 2007, and it was absolutely fantastic; like always. Three days of music, beer, meeting nice people, eating great food and more beer makes you wish you didn’t have to go back to work. Unfortunately, I’ve got to do exactly that tomorrow-morning. It’s gonna be a rough day.
I wasn’t particularly satisfied about the line-up at Lowlands this year. In fact, there where only a handful of bands I wanted to see, and most of those weren’t especially good either. Some I’d already seen before, such as After Forever. I’ve seen After Forever about twenty times so far, now that I think about it. This time though, they where missing one of their guitar/grunters, which was very noticable in their music. Then again, looking at Floor Jansen is always a joy, and more than made up for their sub-par performance.
I did find out about three new good bands I hadn’t heard of before: Saybia, Damien Rice and one who’s name I can’t remember right now. They’re probably pretty popular, and just about everyone knew who they where, except for me. I’m lagging behind a bit when it comes to today’s music. Anyway, I was pleasantly surprised with those artists.
Another highlight was the Games In Concert show, which features a sixty-person philharmonic orchestra playing music from games such as God of War and FIFA soccer. The best part was when they played the Super Mario Brothers game sound and showed the famous Super Mario Bros Speedrun on the big screen. The crowd went wild. I like classical music, especially when it’s something out of the ‘ordinary’ like this. Superb.
The weather was also great. A lot of the forecasts weren’t very promising, so I was a bit afraid we might find ourselves in a big pool of mud and water (not to mention thunderstorms.. brr), but in the end we had absolutely beautiful weather. Thanks to our group’s Weather Oracle, who regularly received messages from The Other Side (the home-front who was F5-ing on the Internet Weather Radar site) that predicted the weather to within two minutes. That saved us from the one and only huge rainfall during the entire weekend. Thanks Roy and Saskia!
When the pictures come in, I’ll post a couple here on the blog. I’m already looking forward to Lowlands 2008.
Update: Pictures!
Update II: Found the band name for the third band I liked: Arcade Fire!
Tuesday, August 14th, 2007
I’m holding a contest about who can find the most idiotic PHP function. Rules:
- It has to be an official part of PHP (i.e. can be found in the manual).
Leave your suggestions in the comments.
I hereby nominate the runkit_constant_redefine() function. The manual entry says:
runkit_constant_redefine - Redefine an already defined constant
There is ABSOLUTELY NO EXCUSE WHATSOEVER FOR HAVING A FUNCTION LIKE THIS IN YOUR LANGUAGE! NONE!. The person who thought this up ought to be shot on sight.
If you disagree, or can provide a rational for why this function is included in PHP, DON’T BOTHER LEAVING A COMMENT BECAUSE YOU’RE WRONG!
There. I’m a little less frustrated now.
Monday, August 13th, 2007
Every now and then, I have to log into a windows machine in order to log expense reports or make a leave request for my work. (The application they use for that at my work doesn’t work properly in Firefox. Welcome to 2007.) Fortunately, we’ve got a big VMWare platform where I can login to a fast virtual Windows 2003 host. Naturally, I use rdesktop for that. There’s some cool options to rdesktop that I didn’t know about:
First of all, you can automatically log in using the -u, -p and -d options:
rdesktop -u fboender -p F0oB@22000 -d OFFICE win23k.office
You can set the remote desktop geometry using the -g option. That way, you can have a nearly-full-screen remote desktop. For instance, I run at 1280×1024 resolution, and the top menu bar is 24 pixels high, so I create a remote desktop with dimensions of 1280×1000:
rdesktop -g 1280x1000 win23k.office
I also don’t like it if rdesktop takes over my window managers keybindings, cause I’ve got application launchers bound to keybindings such as Win-R (which launches my Run Program application). So I turn off rdesktop’s “Take over Keybindings option” using -K
rdesktop -K win23k.office
If all you do is run a single application on the windows machine, for instance Internet Explorer, you can just as well run that straight away using the -s option. This will bypass the default shell and start the application straight away. This means you have no desktop window underneath your application and no windows taskbar at the bottom of the rdesktop window. Since Windows programs come with their window decorations (titlebar, close buttons, etc), you can turn off the ones for your Window manager using -D:
rdesktop -s "C:\\Program Files\\Internet Explorer\\iexplore.exe" -D w2k3.office
That starts an Internet Explorer window as if it’s running on your local computer. Unfortunately, this means you no longer have a minimize button. But that’s what the -S option is for. This enables the -D option and changes the behaviour of the remote minimize button to minimize the local rdesktop window instead of the remote window. You have to specify a button-size with the -S option, because the rdesktop client has to guess where the buttons are in the remote application. 18 is the default size for default windows themes.
rdesktop -S 18 -s "C:\\Program Files\\Internet Explorer\\iexplore.exe" -D w2k3.office
Use the -T option to set the local window’s title, if you’re starting more than one different remote application at the same time:
rdesktop -T "Internet Explorer 7.0" -S 18 -s "C:\Program Files\Internet Explorer\iexplore.exe" -D w2k3.office
rdesktop -T "Photoshop" -S 18 -s "C:\\Program Files\\Adobe\\Photoshop\\ps.exe" -D w2k3.office
Of course, even cooler would be if you installed the SeamlessRDP component on your Windows server, so you can true single remote applications on your desktop, just like X11 supports.
Finally, the very cool -r option, which allows you to forward local devices, printers, cdroms and directories to the remote server. It also allows you to redirect remote sound to the local machine.
rdesktop -r disk:home=/home/todsah w2k3.office
This will make my local home directory available as a special share on the remote Windows machine so that I can access my files from the remote machine.
That’s about it for cool rdesktop stuff. Remember! Use sparingly.. it’s still windows, right?
Thursday, August 9th, 2007
Here’s how to set up a jailed / chrooted SFTP/SCP environment for a single user:
Note: This is a little specific for Debian in some places, but it should work for other distributions too. You may need to tweak the jailkit configurations in /etc/jailkit/jk_init.ini a bit.
Get jailkit (http://olivier.sessink.nl/jailkit/index.html#download). Jailkit is an awesome tool that’ll allow you to set up minimal jails by inspecting which libs are used by binaries and copying them, the binaries and some other directories to a seperate dir, which can be used as a chrooted environment.
Get Jailkit and install it:
$ wget http://olivier.sessink.nl/jailkit/jailkit-2.4.tar.bz2
$ tar -xjf jailkit-2.4.tar.bz2
$ cd jailkit-2.4
$ ./configure
$ make
$ make install
Now, create a new normal user like you would normally do. In a moment, we’ll use jailkit to move this user to the jail.
$ adduser --disabled-password public
Set up the jail. You can’t do this in /home! (You can move everything to /home later if you want to).
$ mkdir /jail
$ chown root:root /jail
$ chmod 755 /jail
$ jk_init -v -j /jail/public/ sftp scp jk_lsh
This copies all the library files sftp and scp need to /jail/public. If you look at /etc/jailkit/jk_init.ini, you’ll see sections there for the sftp, scp and jk_lsh programs. They include some directories to include in the copy, etc. jk_lsh is a minimal, restricted shell for the jail environment that restricts what commands can be run in the jail environment. In this case, it will limit commands to sftp and scp.
Now, we move the public user to the jail:
$ jk_jailuser -m -j /jail/public/ public
Edit the /jail/public/etc/jailkit/jk_lsh.ini file and add which program the jailed user may run. In this case, scp and sftp-server.
[public]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server
Just to be sure, check if the executables exist:
$ ls /jail/public/usr/lib/openssh/sftp-server
$ ls /jail/public/usr/bin/scp
If you want, move the /jail/public to /home/ and edit /etc/passwd to reflect this change.
$ mv /jail/public /home/public
$ vim /etc/passwd
and change the homedir for user public from /jail/public/./home/public to: /home/public/./home/public (Yes, that’s correct).
$ rmdir /jail/
Done.
If you want to add public key authentication:
$ mkdir /home/public/home/public/.ssh
$ chown public:public /home/public/home/public/.ssh
$ vim /home/public/home/public/.ssh/authorized_keys2
Add the public key to the authorized_keys2 file.
You can place directories from outside the jail inside the jail using mount:
$ mount --bind /storage/sound/mp3/ /jail/public/home/public/mp3/
The result?
[todsah@jib]~$ sftp public@sharky
Connecting to sharky...
Password:
sftp> ls
mp3
sftp> ls /
/dev /etc /home /lib /usr
sftp> ls mp3
mp3/10 CC mp3/Aeternus
mp3/After Forever mp3/Air
mp3/Alborada mp3/Alter Bridge
mp3/Aphix Twin mp3/Apocalyptica
mp3/Arch Enemy mp3/Autumn
mp3/Bachmann Turner Overdrive mp3/Beethoven
etc.
There’s tons of other cool stuff you can do with Jailkit. Check out the HowTo’s on the Jailkit homepage.
Oh, and the size?:
[root@sharky]/home# du -hs public/
4.1M public/
Update! Important!
Remember that you need to regularly do a jk_update -j /jail/public/ to update the files in the jail! Remember that a jail has files (libraries, executables) that are copies of the main system. So any security fixes in files in the main system aren’t reflected in the jail until you do an jk_update!
Wednesday, August 8th, 2007
Some quick notes on SFTP.
Identity file
ssh and scp have an -i option for specifying which file has the private key with which to authenticate. sftp doesn’t have that switch, but you can specify one with the -o switch:
sftp -o IdentityFile=/home/user/.ssh/some_key_rsa username@hostname
Batch mode
If you want to do stuff in batch mode (from a script or something), you can use the -b option. Normally, this would require that you write a file with the commands you want to run, but with -b -, you can make sftp read the commands from STDIN:
echo "PUT myfile" | sftp -o IdentityFile=/home/user/.ssh/some_key_rsa -b - username@hostname
Most programs understand the - value for commandline arguments, and read the input not from a file but from stdin.
Allow only SFTP and not SSH
If you want to disallow SSH login, but still want to offer SFTP for a user, you can force that by specifying a command they may run in the .ssh/authorized_keys2 file:
$ cat .ssh/authorized_keys2
command="/usr/lib/sftp-server" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQDAvMJNhB2qDj0C0R4CcbIjIW2arkoAL2HsiP5zfzQfv1uMmZvrRSAO1TgW8qzw0sPRoFOOBARS1yP4Nk4LJBvM0m5BXaim4kWMS2PuoeN9W0nzkwg9+c966/ekQrDt154o8Ef3TRl7uVyOhQc//um0tekuUQ25e6GP3BsFv5Jtn7JZlejcm3d3AFgYJL/DIi43ymptT8TlapJgcUgUQ8Ts6utpvA/BDEAF4G8HnkT2Q7khJfcqIGhc4M0U2JX+46UTvy2HXtuiDcusP7CLY7sw3G+WB5pWu0A3kpV5Iuou68eQTaMVyPDhaQDVbRTmjmQo49n6Sc63krcyBW0mBtYmzQ== comment
You’ll have to make sure that the user can’t write to the .ssh directory nor upload any files such as .bashrc, .profile, etc, otherwise the user can overwrite those by uploading their own version, and they can still execute anything they like by just logging in with sftp. You can do this by creating these files and then changing their ownership and rights in such a way that the user can’t write to them. Because it’s hard to guess what files you should create so that the user can’t cause any harm, it’s best to simply create a seperate directory in which they can upload stuff, and lock off write access to their entire home directory.
It’s not terribly secure, but better than simply allowing ssh access.
Tuesday, August 7th, 2007
Icons are freaking huge in Gnome. Since I’m not blind, I’d like them a bit smaller. Unfortunately, GNOME doesn’t seem to offer an easy way to do this.
There’s the desktop/gnome/interface/toolbar_icon_size in the gconf-editor, but it doesn’t appear to do anything, so that’s not really gonna work. Besides, I have no idea what I should set the integer too. Fortunately, we can tweak everything using GTK’s Resource files. The nice thing about this is that it works for all GTK 2.0 apps as well as Gnome apps.
Create a file .gtkrc-2.0 in your homedir, and put the following in it:
gtk-toolbar-icon-size=small-toolbar
That makes the toolbar buttons smaller, though not by much. You may not even notice it. Try starting some GNOME program with a toolbar (gedit is a good one; don’t use the File Browser (Nautilus) because it’s already loaded) to see if it’s satisfactory. If it’s not small enough for you, you can tweak it even further. Just add the following to the same file:
gtk-icon-sizes="gtk-small-toolbar=16,16"
That will make icons 16 by 16 pixels. Small enough for my tastes.
You can modify more than just the toolbar icons:
gtk-icon-sizes="\\
gtk-menu=16,16:\\
gtk-button=16,16:\\
gtk-small-toolbar=16,16:\\
gtk-large-toolbar=16,16:\\
gtk-dnd=16,16:\\
panel-menu=16,16:\\
panel=16,16:\\
gtk-dialog=16,16\\
"
You’ll have to figure out for yourself what they do though. Most should be obvious. Some don’t work anymore in newer gnome versions.
Changes you’ve made won’t affect Nautilus (the file browser, the desktop and everything else powered by Nautilus) until you restart Gnome. Maybe you could killall -HUP nautilus, but I didn’t dare try that.
Tuesday, August 7th, 2007
I just released Localenv v0.3.
localenv is a collection of scripts that run other scripts and replace (configuration) files depending on the current profile, which is determined by the network you’re currently on. It is ideal for laptop owners that move between different networks.
Scripts are provided for discovering which network you’re on (by using known MAC addresses of machines on the network), running scripts in certain directories and changing configuration files.
Changes:
- Added a localenv-run script which is a wrapper that discovers the network and calls localenv-scripts. It’s useful for when you can’t run localenv-scripts `localenv-discover` PATH due to a lack of backtick command expansion.
The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.
