Tag: free software

FLOSS – software which is, by definition, free, libre and open source

Posted on
by

I recently upgraded my laptop hard drive and decided to move all the virtual disk files of my virtual machines to my home directory.

However, when trying to run the VM, an error notification appeared:

Error starting domain: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

The Details section of that dialog showed me where the error was occurring:

Traceback (most recent call last):
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
 callback(asyncjob, *args, **kwargs)
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 66, in tmpcb
 callback(*args, **kwargs)
 File "/usr/share/virt-manager/virtManager/domain.py", line 1114, in startup
 self._backend.create()
 File "/usr/lib/python2.7/dist-packages/libvirt.py", line 620, in create
 if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

 

… or, at least, that’s what I hoped.  Except it didn’t.

For a long time, I played around with permissions on the virtual disk image itself, the directory containing it, and further back/up until reaching ~.  None of it helped.

Then I stumbled upon this libvirt bug report.  Comment #6 by Cole Robinson was what I needed:

“What virt-manager typically offers to do is use ACLs to allow the ‘qemu’ user search permissions on your home dir, which is all it should need and is fairly safe and restrictive.”

In order to check and set this, you’ll need to use the File Access Control utilities – getfacl and setfacl:

# cd /home

My home is “sd”

# getfacl sd

# file: sd
# owner: sd
# group: sd
user::rwx
user:root:--x
user:www-data:r-x
group::r-x
group:www-data:r-x
mask::r-x
other::---

The reason I have www-data with read and execute permissions is that I do web development and testing, and I also keep all my web-dev files in ~ too.  This just makes my system more “portable”, safer to upgrade and/or easier to migrate to a different Linux.

To set the required permission for libvirt / qemu, you just issue this one liner:

# setfacl -m u:libvirt-qemu:r-x sd

.. substituting sd for your own ~ directory name.

setfacl (set file access control) takes three main arguments:

  • the action – in this case, -m means “modify” the ACL;
  • the data to apply, colon-separated: here we specify it’s a user (u) who is libvirt-qemu, and the permissions we want to allow are read and execute (r-x).
  • finally, we specify which files or folders ACL should be modified – in this case, my home (sd).

After this, my virtual machine runs up perfectly.

This is relevant for Crunchbang and other Debian-related distros.  For Fedora/CentOS, I believe the user should be qemu.

Posted on
by

You probably got here because you Googled.  I did 😉

As an eclipse user, occasionally you get greeted with error messages which are tricky to resolve.  The error, “Resource ‘X’ is out of sync with file system” made me scratch my head for a little while – as far as I could tell, it wasn’t!

Screenshot of error dialog
As an eclipse user, sooner or later you’ll see this.

There can be a few causes of this:

  • If you edit any workspace file from outside of eclipse, which is part of your project, this can throw the error.
  • The same is true of directories – have you renamed/moved/deleted anything?
  • The cause which threw my error was symbolic links.  Because I had changed the name of a target directory, this was enough to trigger this error dialog, even though the file name of the symlink itself was unchanged!

To prevent this dialog appearing, as far as possible, visit Window > Preferences > General > Workspace and select:

  • Refresh using native hooks or polling
  • Refresh on access
Image of eclipse preferences window
Selecting appropriate preferences can keep your workspace up to date and reduce the chance of errors appearing.

The combination of ensuring tight controls on renaming files and directories, together with automating detection of this as much as possible, will lead to a smoother experience with this great integrated development environment.

Posted on
by

When installing Debian, or a derivative OS such as crunchbang, you may have opted to separate out your partitions/logical volumes to manage your disk space more finely.

I opted to do this.  My partitions were set up thus:

$ sudo lvs 

 LV     VG   Attr     LSize   
 home   t420 -wi-ao-- 438.10g 
 root   t420 -wi-ao-- 332.00m 
 swap_1 t420 -wi-ao-- 15.50g     <-- way too big!
 tmp    t420 -wi-ao-- 369.00m    <-- way too small!
 usr    t420 -wi-ao-- 8.38g 
 var    t420 -wi-ao-- 2.79g

This was not working for me.  Doing backups using the easy backintime was proving difficult, as backintime relied on more /tmp space than I had.

As I rarely touched swap space, I figured that 15.5G was probably a bit large for my needs.  Thankfully, nabbing swap space and reusing it for the filesystem is easy as pie – and all achieved with no downtime.

Here’s the sequence I typed into a terminal.  First, turn off swap:

$ sudo swapoff -a

Then resize the swap volume:

$ sudo lvresize -L 8GB /dev/t420/swap_1

Now re-format the swap partition before using it again:

$ sudo mkswap /dev/t420/swap_1

Then turn swap availability back on:

$ sudo swapon -a

And finally, resize the /tmp partition on-the-fly:

$ sudo lvextend -L +1G -r -v /dev/t420/tmp

Because the LVM tools have semi-awareness with respect to filesystems, the resizing of /tmp (using the -r switch) was achieved on-line – no need to log out, reboot or anything else.  The verbose (-v) switch allowed me to see everything that was happening.

The new partition sizing is:

 LV     VG   Attr     LSize 
 home   t420 -wi-ao-- 438.10g 
 root   t420 -wi-ao-- 332.00m 
 swap_1 t420 -wi-ao-- 8.00g 
 tmp    t420 -wi-ao-- 1.37g 
 usr    t420 -wi-ao-- 8.38g 
 var    t420 -wi-ao-- 2.79g

I also have 6.5G spare on the hard drive now, in case it’s needed by another logical volume.

LVM rocks for easy filesystem management!  Try it out!

 

Posted on
by

“Fun” with Windows 7

So.. been having lots of fun with Windows 7 this morning.  Got hold of a refurb PC for doing some client system testing.

Win7 install completes and there are 3 updates to do.  Start the update process and two modal windows open up behind the update window, waiting for me to do something.  Have to click on task bar’s flashing icon to bring windows to the front.  On Windows.  Windows.

Anyway, I give the “OK” for Microsoft Security Essentials to install and it does, then starts to run an update within itself (!).  Due (perhaps) to the length of time of this process on this ageing P4, the main MS software updater kicks out another window saying “The application Microsoft Essentials may not have installed correctly.”

I’m sorry.  “May“??

Choices are “That’s ok, it installed correctly” or “Reinstall this application”.  Except the application is installed and already running an update.  Err…?  So.. how do I know it has installed correctly?  Because it’s running…(?!)  (Does the computer not know??!)

With 20 minutes of Windows use this morning, I can’t believe just how bad things are on the other side of the fence.  Someone fresh to Windows will see all this flashing icons, hidden windows, alerts, worries…  and not have the first clue what to do.

Someone close to me was one of those unfortunate souls.  She’d persisted for about a year with her Win7 machine and was constantly anxious with its scaremongering.  Hardly a productive environment.

Luckily, she’s now running #debian   #wheezy  with the #gnomeshell  and immediately found it intuitive and straightforward.  Go #freesoftware !!

This was posted on Google+

Posted on
by

Part #2 of the Data Liberation series

Mozilla, the organisation behind the ubiquitous Firefox web browser, kindly publishes its source code powering a key service which it provides – Firefox Sync.  Because of this, we are able to run our own password sync servers securely and not necessarily be the target of a large-scale data-mining break-in, such as might be performed by a malicious cracker, or the NSA.  Sorry, of course they are the same thing.

FFirefox logoirefox Sync is a neat service which allows you to, quite literally, sync your settings in Firefox across multiple devices.  These settings can include bookmarks, web browsing history, cookies, form-filling data and passwords.  Anyway, I too was keen to run my own password sync server, so I set about doing just that.

I host quite a bit of stuff using Virtualmin, another superbly produced piece of software which facilitates the set-up of multiple domains on a single box. Setting up Firefox Sync on your own server under virtualmin is actually very straightforward.

The main task at hand is to follow the detailed instructions published by Mozilla.

As per the instructions, I had to run the following, in order to install required software:

# apt-get install python-dev mercurial sqlite3 python-virtualenv libssl-dev

In addition, I also needed to install and enable the WSGI Apache module, which wasn’t present on my system (drawing in dependencies as needed):

# apt-get install libapache2-mod-wsgi

I decided to install the Mozilla sync software in the home directory of my newly created domain, which in Virtualmin is either “/home/domain” or “/home/domain/domains/subdomain”, depending on whether you have created a subdomain for this specific purpose or not.  In the subdomain situation, the folder path would end up being: /home/domain/domains/subdomain/server-full.

Once installed, I inspected the Apache config file. A key change I had to make was to the WSGI configuration within this file. On my Debian box, the Apache config files are located in the standard place: /etc/apache2/sites-available – the same would be true for Ubuntu (on CentOS and other RHEL/Fedora derivatives, you’ll probably find them in /etc/httpd/conf.d/). Once you have created your domain in Virtualmin, your domain’s config file should be within this folder, appropriately named “domain.com.conf”.

In the “domain.com.conf”, there are a few lines to add and one to edit:

Firstly, find the DocumentRoot declaration:

DocumentRoot /home/mydomain/domains/subdomain/public_html

and change it to:
DocumentRoot /home/mydomain/domains/subdomain/server-full

Next, you’ll need to insert the following lines, within the same stanza as DocumentRoot (the best thing is to adjust and paste these lines directly after DocumentRoot:

WSGIProcessGroup sync-http
WSGIDaemonProcess sync-http user=<your-virtualmin-domain's-user> group=<your-virtualmin-domain's-group> processes=2 threads=25
WSGIPassAuthorization On
WSGIScriptAlias / /home/mydomain/domains/subdomain/server-full/sync.wsgi

The above example assumes that you are working within the :80> stanza. If you have enabled SSL on your virtual server, within Virtualmin, then you’ll also have a :443> stanza to add these lines to, with one or two exceptions!

A WSGIDaemonProcess is assigned to each virtual server in Apache. In doing so, it creates a system process which requires a name. According to the WSGI docs, this name must be unique:

“[…] note that the name of the daemon process group must be unique for the whole server. That is, it is not possible to use the same daemon process group name in different virtual hosts.

When you come to pasting in the additional lines in your :443 stanza, you are dealing with a separate virtual server in Apache.  So, within your Apache config file, be sure to rename your WSGIDaemonProcess process name. E.g.:

WSGIProcessGroup sync-https
WSGIDaemonProcess sync-https user=<your-virtualmin-domain's-user> group=<your-virtualmin-domain's-group> processes=2 threads=25

This configuration should now be valid. You can test this with:

service apache2 reload

This won’t stop the current Apache process, but it will attempt to load the new configuration file. If it fails to load the config, it will tell you without stopping Apache.

Once this works, simply issue:

service apache2 restart

Syncing on mobile

If you intend to use Firefox on Android, or any other mobile Firefox (or clone) that supports the same syncing protocol, there is one caveat.  If you are using an unsigned or self-signed SSL certificate on your sync server, you should visit the site first in your mobile Firefox and add a permanent exception.  Once done, set up firefox sync in the normal way, by typing the characters into your desktop browser’s sync dialog, and the two browsers will shortly be synced up nicely!

Posted on
by

[ This is a retrospective publication ]

It takes heroes like Edward Snowden to reveal how malicious governments can become. The Snowden revelations during the summer of 2013 showed that not only does everyone have to be wary of internet-based “threats”, but that those threats could be in the form of legally-appointed agencies seeking to catch out anyone who accidentally clicks something they shouldn’t.

Worryingly, despite the big players’ assurances of high levels of security, a post on Ars Technica discusses (and links to) slides created by the NSA, and leaked by Snowden, showing how Google’s international internet traffic was intercepted, analysed and understood – for a variety of its services. Thankfully, more heroes have recently stepped forwards with updates of their own.

My heroes today are +Brandon Downey and +Mike Hearn, who have voiced their contempt for the authoritarian misuse of power with, as we like to call it, the two-fingered salute (this would be one finger in the US…).

Google, too, has a data-collection objective

Let us not forget who Google is and what it does.  Yes, while its employees might be upset that their systems’ security has been brought into question, their employer’s mission “is to organize the world’s information and make it universally accessible and useful”.  So Google, too, has a data-collection objective.

The good thing about the Snowden revelations, if indeed any of them can be “good”, is that it has revealed how much work still needs to be done and how much we assume our data won’t be intercepted and inspected. It’s no longer safe to think like that, and the use of encryption should be mandatory between two end-points.

But now that the larger players are catching up with better security implementations, who is there to help the smaller players? Running a hosting outfit myself, I know how much time is required to stay informed with regards to common exploits and vulnerabilities, as well as implementing working solutions when certain zero-day exploits are revealed. Every internet service provider, hosting company and other entity transacting business via the internet has a responsibility towards safeguarding confidential data. How many take it seriously enough?

It’s time the larger players stepped up and started working collectively in a security community designed to help the smaller players in the market, rather than try to pwn the market itself; if that were to happen, the purpose of the internet would be destroyed and the argument moot.

Posted on
by

[ This is an incomplete post mainly consisting of notes to myself.  Ignore at will, commander. ]

When installing slackware, I opted for the excellent XFCE desktop environment. But having become aware of i3, a new tiling window manager, I decided to give it a go.

Learning a new Linux distro is never completely straightforward, even for a veteren. All distributions do things differently, so the knowledge you gain in one distro is never wholly applicable to another.

This can make for interesting discoveries and baffling, vexing problems which require prolonged periods of diagnosis to remedy. But the joy of learning how things work is always with you in Slackware, which is why the distribution – while harder work – is certainly quite rewarding.

Installing i3

How to install… SBo… xwmconfig, etc

http://docs.slackware.com/howtos:window_managers:i3wm

Good starter docs by sycamorex

Getting the right screen display resolution with laptop and external monitor

Use Arch documentation as reference xrandr https://wiki.archlinux.org/index.php/Xrandr (and clues from http://oyhus.no/Intel_915G_SuSE_10.3.html)

To XDM or not to XDM…

The problems I had with XDM

Getting started with the i3 config file – setting alternative shortcuts, nm-applet, etc

$TERM – WTF!! http://superuser.com/questions/124908/how-do-you-change-the-default-term-value-set-at-console-login-ubuntu/124915#124915

Getting the € Euro sign working: http://www.dawoodfall.net/index.php/utf-8-console … and having to edit the code page slightly (removing the U+20AC character from the 4th position in the table) http://www.fileformat.info/info/unicode/char/20aC/index.htm (“loadkeys unknown keysym: ‘quotedblbase'”)

Other smaller config changes

Running Emacs (server) and testing with emacsclient http://www.emacswiki.org/emacs/EmacsClient#toc1

Posted on
by

There is a growing trend amongst internet companies – i.e. those organisations who provide services over the internet which store your data – to proclaim your freedom and control over your data. Sometimes, the reality doesn’t quite bear up.

I have decided to write an ad-hoc series of blog posts treating this subject. My main area of focus will be how to use readily-available tools to help you liberate your data and regain control over it.

Keep an eye on my series, at https://dowe.io/tag/data-liberation – and subscribe by email if you want to be kept up-to-date with the latest posts.

Initial plans

The main subjects I am planning to write about at this stage revolve around the current internet/mobile ecosystem and what you can do to live a productive life while maintaining security.

My outline of topics so far:

  • Unlocking your saved passwords from Google Chrome, the internet’s darling web browser
  • Using a free office suite to replace expensive, proprietary vendors’ offerings
  • Getting to grips with your own web account

– why do this? Benefits? – How to set up? – Basic steps for maximum security

  • Using your own internet calendar and contact list, rather than letting your data be snooped on by the easier alternatives…
  • Secure P2P file sharing – no, it’s NOT ILLEGAL!

As well as these practical how-tos, I’m also intending to cover the bigger picture in a few supporting articles:

  • Leaving the “safety” of Windows/MacOS behind. Addressing some misplaced fears.
  • Risks of the “walled garden”
  • Get back in control

– what YOU can do to ensure your rights are not being violated – being pro-active and helping in the community

With writing in mind…

If you would like to suggest ideas or subject areas that you would like covered, please get in touch.

I look forward to your comments!

Posted on
by

This post has a new edition.

Part #1 of the Data Liberation series

Although Google Chrome is a very fast browser, it lacks one key feature which seems designed to lock users in – any account migration facilities to support moving to other browsers.  This post is intended to help you move your saved passwords from Chrome to Firefox.

Firstly, you’ll need to have a read of this page: http://blog.catoblepa.org/2012/08/linux-how-to-export-google-chrome_28.html   – then come back here for more info!

While following the instructions in that post, take note of these steps below before you close your browser. If you have also set up a separate encryption password for your browser, don’t worry – this method still allows access.

  1. Image of Google Chrome settings
    Disconnect Google account in Settings

    In Chrome settings, as a precation, I disconnected my Google account before closing the browser. Therefore, any changes I could make to this temporary session wouldn’t ever be uploaded back to Google.

  2. Once you have the saved CSV file from Chrome, keep hold of it – we need to edit it. In Firefox, install the Password Exporter add-on: https://addons.mozilla.org/en-US/firefox/addon/password-exporter/?src=search
  3. Image of Password Exporter
    Exporting passwords

    Password Exporter allows you to import passwords too, so you can avoid the need to install any third-party workarounds like LastPass (which again require you to upload all your browser data).Firstly, though, using Password Exporter in Firefox (Tools > Add ons … Extensions > Password Exporter > Preferences), we can export a sample CSV file to see how Password Exporter expects its import data. Simply click “Export Passwords” and save the file to your home directory.

    NOTE: This requires that at least one password is saved in Firefox already.

  4. The headings in the exported file are as follows:

hostname username password formSubmitURL httpRealm usernameField passwordField

This is the format that Password Exporter will expect its import data.

The data’s headings that you have just exported from Chrome are a little different:

origin_url action_url username_element username_value password_element password_value submit_element signon_realm ssl_valid preferred date_created blacklisted_by_user scheme password_type possible_usernames times_used

We need to match up the firefox CSV headings with the corresponding Chrome CSV headings. To do this quickly, use a spreadsheet tool I used LibreOffice Calc.

This is what I arrived at:

(FF = Firefox; GC = Google Chrome)

FF: hostname username password formSubmitURL httpRealm usernameField passwordField
GC: origin_url username_value password_value action_url signon_realm username_element password_element

Once the fields are mapped, there’s a couple more important steps to undertake.

Export dialog
Export in the right format!

Firstly, when you come to exporting from your spreadsheet application, make sure you choose to edit the output filter. In the Export Text File dialog, make sure “Quote all text cells” does not have a check (tick) in the box.

For good measure, I also selected ASCII/US in encoding type,  as that is the format used by Password Exporter when exporting.   I think the importer should handle ISO-8859-1 and/or UTF-8, but your mileage may vary.

Now export it.

Remember seeing the additional header in the exported CSV file? It might have looked something like this:

# Generated by Password Exporter; Export format 1.1; Encrypted: false

In order to tell Password Exporter what format to expect its data in, this heading needs to be added back. However… the best way to do this is via a text editor, not in a spreadsheet program.

Open up GEdit, Emacs, Vi… whatever. Add that line to the top, but remove any trailing commas! It should now look like this:

# Generated by Password Exporter; Export format 1.0.4; Encrypted: false
"hostname","username","password","formSubmitURL","httpRealm","usernameField","passwordField"

One more step before you import!

A side-effect of exporting your CSV in LibreOffice is that empty cells are not quoted. In other words, the comma-separated values may appear like this:

"someusername","somepassword","someUrl",,"someusernameField"

Did you see those two commas with nothing between? The Password Exporter won’t like that when trying to import, so do a quick search-and-replace:

Search for ,, and replace with ,””,

Finally, save the file.  Again, ENSURE the file type is US/ASCII.

The importer dialog
Successfully importing passwords!

Now open up the Password Exporter dialog from Firefox and click Import Passwords – you should see progress in the dialog shortly.

CAVEAT #1: BUG WHEN IMPORTING v1.2-EXPORTED DATA

There is an import bug when the version header is declared as 1.1. However, you can get around this by “fudging” the import header to an older version (I used 1.0.4). If you have trouble importing, adjust your header in the file to look like this:

"hostname","username","password","formSubmitURL","httpRealm","usernameField","passwordField"

After importing, you may see that not all passwords were imported. This is because duplicates are not imported. You can view the details in the link.

CAVEAT #2: SOME LOGINS, PASSWORDS, ETC ARE QUOTED

So far I’ve not had time to find a way around this. It’s to do with the import format.

The adventurous can investigate the source code, here: https://github.com/fligtar/password-exporter/blob/master/passwordexporter/chrome/content/pwdex-loginmanager.js

Hopefully you have now successfully liberated your passwords!

Problems?  Comment below!