Balance of Cowards

Kategorie: Sys

  • [:en]Running Firefox as a different user: A convenience hack for social networks and instant messaging[:]

    [:en]Social convention requests that I be active on Facebook. Recently, I have also been persuaded to get myself a WhatsApp account. I have two issues with that:

    • I strongly prefer to keep social networks in a „privacy container“. It is no business of Facebook, where I surf on the web. Thus, I’d like to keep social networking sessions separate from my day-to-day surfing (this also applies to my Google account, of course).
    • When chatting, it is an absolute necessity for me to be able to use my keyboard. Smartphones are, in my opinion, not a good device to use for chatting. Typing on a touchscreen slows me down in an unbearable manner—not mentioning the fact that half of my data is not available on my smartphone.

    As long as I used Facebook, I was content to open up a Firefox „private window“ whenever someone messaged me, continuing the conversation from there. This required a single login, but I regularly could type that faster than the page loaded. However, with WhatsApp this is different. The web interface requires me to scan a QR code every time I want to log in. I will not comment on the architectural reasons behind that (it’s just too ridiculous). However, another approach is needed.

    My plan, therefore: Having a dedicated Firefox session for social networks and chatting.

    Unfortunately, Firefox does not support running two separate processes as the same user. It does support having different user profiles—but those cannot run in parallel. I would have had to shut down my regular session to open the social network session. Not an option!

    So I came up with the idea of creating a dedicated user for running this Firefox session. Turns out this is not quite as straightforward as expected, but with a bit of hacking it works surprisingly well.

    Step 1: I need a new user. I’ll call this one „snim“ for „Social Networks and Instant Messaging“. Under Ubuntu:
    sudo adduser –disabled-password snim
    I disabled the password, because I do not want to ever log into that account. It’s just there for running my Firefox process.

    At this point I expected step 2 would be as easy as allowing a sudo for Firefox. Turns out it is not: Firefox needs access to the current X11 session and requires a full user environment to play nicely with temporary files and the likes. So sudo -u snim firefox actually does not work. Well, the solution is to create a small shell script, instead:

    #!/bin/bash                                                                                                                                 
xhost + # Allow X11 access
su -c firefox - snim # Execute firefox in the environment of "snim"

    There’s still the problem that this script would ask me for the password of „snim“—which I deliberately deactivated before. So, instead I’ll have to add a line to the /etc/sudoers file that allows me to execute that script without asking for a password. The line is simple:

    # ... (stuff before)

# ... at the end: the firefox-hack
myusername   ALL=(ALL) NOPASSWD: /path/to/my/firefox_hack

    Of course, „myusername“ has to be replaced with the actual user name and „/path/to/my/firefox_hack“ should be the path to the script above.

    Having that, a sudo /path/to/my/firefox_hack will start a separate Firefox session without asking for a password. In that session I can now keep Facebook, WhatsApp and Google logged into my accounts at all time, without having any other data from my regular browsing session „spill over“. I keep the three websites open in tabs, set Firefox to remember my tabs, and define a shortcut for the sudo command above. Bam! Convenient privacy-aware social networking and chatting :)

    [:]

  • [:en]OpenVPN + fwbuilder woes[:]

    [:en]Anyone hosting internal critical services today is well advised to protect them properly behind a firewall. Linux usually does a pretty good job at that—at least if your bandwidth requirements aren’t too excessive. It is a very good idea to use a graphical tool to create a ruleset, instead of writing iptables rules manually, and fwbuilder tends to get the job done quite nicely.

    On the other hand, employees need access to internal information when they are on the road. OpenVPN is a great open source tool to enable this scenario, with nice clients for all major operating systems. New keys are easily generated, and with a bit of scripting, setting up a new laptop for a road worker becomes really trivial.

    Is it a good idea to host the OpenVPN service on the firewall itself? In my opinion: yes. The two tasks—firewalling and VPN—are conceptually the same: Regulating network traffic from and to internal machines. Moreover, hosting the VPN access point on the firewall has the added benefit of being able to distinguish individual VPN clients at the firewall before any NAT kicks in.

    However, I was seeing major issues with this setup. In particular, my VPN clients could connect just fine, but no packets could traverse the firewall. No matter what rule I added, and how lenient the firewall was set, packets disappeared right after exiting the VPN tunnel—no matter whether NAT was active or not. The strangest symptom I got: Even after flushing all rules, access was still not possible for the VPN clients. Only when the machine was restarted, and before the firewall was reinstated, did VPN work. So the problem was apparently not with VPN, but with the firewall. But I just couldn’t find the problem. It was driving me mad!

    It took me literally ages to find out that fwbuilder actually deletes old routes on the host when it is asked to install additional ones. This included an apparently vital OpenVPN route that was unintuitively set to use X.X.X.2 as the gateway. Must be some kind of default config—I’m pretty sure I never touched that. The „2“ was also the reason that this change escaped my attention for so long.

    Bottom line (TL/DR): fwbuilder is a really versatile tool. But check what it does to your network configuration. Changes are not limited to iptables![:]

  • [:en]Switch wordpress installation from ubuntu repositories to official version[:]

    [:en]Installing WordPress on current Ubuntu versions is reasonably easy when using the repositories. There is, however, one drawback to using the repos: The wordpress version you will get tends to be somewhat out of date and some plugins may refuse to work with it. Regarding security updates, I guess it boils down to whom you trust more: the WordPress developers or the Ubuntu repository maintainers. As for me, I found that after upgrading Ubuntu to 14.04 the wordpress version I got was pre-4.0 and I wanted 4.0 at least. I could have apt-get remove wordpress, but I didn’t want to lose my existing configuration. So I had to find out how to switch from the Ubuntu version out of the repositories to the official WordPress release. (mehr …)