Due to the upcoming General Data Protection Regulation (and due to lack of quality feedback), commenting has been disabled on this site. No personal data will be processed anymore. For further questions, feel free to contact me.
In nowadays web it is easy to come up with a huge list of websites to check for daily updates. News, comics, blogs, … one would like to check them all, regularly. To keep up-to-date with websites, RSS feeds are an invaluable tool, and feed aggregators help to bring order into our surfing habits. For those who use multiple machines, like me, having an online database that keeps track of which articles one has already seen and which ones are new, is really a great time-saver. The TinyTinyRSS team has done an outstanding job of providing just that functionality.
I have been using a privately hosted TinyTinyRSS instance for quite some time now. Unfortunately, lately the web interface started to become increasingly sluggish. That made me think: Why not write a (small) program that provides me with just the functionality I need on a daily basis — show unread articles and, on demand, open them in a web browser. Luckily, the TinyTinyRSS folks have created a nice RESTful API. Tinkering around with Python for a few days I could get a wrapper for the API and two small scripts (one graphical, one console-based) which provide me with exactly the needed functionality.
The code could be useful for others, as well (writing a full-blown TinyTinyRSS desktop client comes to mind). It is available on my GitHub page, project pyttrss. Comments and critique are very welcome :)
- I strongly prefer to keep social networks in a “privacy container”. It is no business of Facebook, where I surf on the web. Thus, I’d like to keep social networking sessions separate from my day-to-day surfing (this also applies to my Google account, of course).
- When chatting, it is an absolute necessity for me to be able to use my keyboard. Smartphones are, in my opinion, not a good device to use for chatting. Typing on a touchscreen slows me down in an unbearable manner—not mentioning the fact that half of my data is not available on my smartphone.
As long as I used Facebook, I was content to open up a Firefox “private window” whenever someone messaged me, continuing the conversation from there. This required a single login, but I regularly could type that faster than the page loaded. However, with WhatsApp this is different. The web interface requires me to scan a QR code every time I want to log in. I will not comment on the architectural reasons behind that (it’s just too ridiculous). However, another approach is needed.
My plan, therefore: Having a dedicated Firefox session for social networks and chatting.
Unfortunately, Firefox does not support running two separate processes as the same user. It does support having different user profiles—but those cannot run in parallel. I would have had to shut down my regular session to open the social network session. Not an option!
So I came up with the idea of creating a dedicated user for running this Firefox session. Turns out this is not quite as straightforward as expected, but with a bit of hacking it works surprisingly well.
Step 1: I need a new user. I’ll call this one “snim” for “Social Networks and Instant Messaging”. Under Ubuntu:
sudo adduser --disabled-password snim
I disabled the password, because I do not want to ever log into that account. It’s just there for running my Firefox process.
At this point I expected step 2 would be as easy as allowing a
sudo for Firefox. Turns out it is not: Firefox needs access to the current X11 session and requires a full user environment to play nicely with temporary files and the likes. So
sudo -u snim firefox actually does not work. Well, the solution is to create a small shell script, instead:
xhost + # Allow X11 access
su -c firefox - snim # Execute firefox in the environment of "snim"
There’s still the problem that this script would ask me for the password of “snim”—which I deliberately deactivated before. So, instead I’ll have to add a line to the
/etc/sudoers file that allows me to execute that script without asking for a password. The line is simple:
# ... (stuff before)
# ... at the end: the firefox-hack
myusername ALL=(ALL) NOPASSWD: /path/to/my/firefox_hack
Of course, “myusername” has to be replaced with the actual user name and “/path/to/my/firefox_hack” should be the path to the script above.
Having that, a
sudo /path/to/my/firefox_hack will start a separate Firefox session without asking for a password. In that session I can now keep Facebook, WhatsApp and Google logged into my accounts at all time, without having any other data from my regular browsing session “spill over”. I keep the three websites open in tabs, set Firefox to remember my tabs, and define a shortcut for the
sudo command above. Bam! Convenient privacy-aware social networking and chatting :)
Anyone hosting internal critical services today is well advised to protect them properly behind a firewall. Linux usually does a pretty good job at that—at least if your bandwidth requirements aren’t too excessive. It is a very good idea to use a graphical tool to create a ruleset, instead of writing iptables rules manually, and fwbuilder tends to get the job done quite nicely.
On the other hand, employees need access to internal information when they are on the road. OpenVPN is a great open source tool to enable this scenario, with nice clients for all major operating systems. New keys are easily generated, and with a bit of scripting, setting up a new laptop for a road worker becomes really trivial.
Is it a good idea to host the OpenVPN service on the firewall itself? In my opinion: yes. The two tasks—firewalling and VPN—are conceptually the same: Regulating network traffic from and to internal machines. Moreover, hosting the VPN access point on the firewall has the added benefit of being able to distinguish individual VPN clients at the firewall before any NAT kicks in.
However, I was seeing major issues with this setup. In particular, my VPN clients could connect just fine, but no packets could traverse the firewall. No matter what rule I added, and how lenient the firewall was set, packets disappeared right after exiting the VPN tunnel—no matter whether NAT was active or not. The strangest symptom I got: Even after flushing all rules, access was still not possible for the VPN clients. Only when the machine was restarted, and before the firewall was reinstated, did VPN work. So the problem was apparently not with VPN, but with the firewall. But I just couldn’t find the problem. It was driving me mad!
It took me literally ages to find out that fwbuilder actually deletes old routes on the host when it is asked to install additional ones. This included an apparently vital OpenVPN route that was unintuitively set to use X.X.X.2 as the gateway. Must be some kind of default config—I’m pretty sure I never touched that. The “2” was also the reason that this change escaped my attention for so long.
Bottom line (TL/DR): fwbuilder is a really versatile tool. But check what it does to your network configuration. Changes are not limited to iptables!
Trotz dem was wir erlangen,
In unsrem Leben gefangen,
Getriebne des eigenen Zorns
Erfolg unsre Maske des Glücks
Die faden Siege,
Die wir dennoch verlorn
Durch unsre Hoffnung getragen,
Über alle Zweifel erhaben,
Symbol für eine bessere Welt,
Ist jetzt durch banales entweiht,
Der hehre Götze
Durch den Alltag entstellt.
Da alle Wunden geschlagen,
Alle Schmerzen ertragen,
Da das Leben uns endlos verrinnt
Bleibt nichts als die Kälte der Nacht
Und grauer Nebel,
Der mich leise umfängt.
Installing WordPress on current Ubuntu versions is reasonably easy when using the repositories. There is, however, one drawback to using the repos: The wordpress version you will get tends to be somewhat out of date and some plugins may refuse to work with it. Regarding security updates, I guess it boils down to whom you trust more: the WordPress developers or the Ubuntu repository maintainers. As for me, I found that after upgrading Ubuntu to 14.04 the wordpress version I got was pre-4.0 and I wanted 4.0 at least. I could have
apt-get remove wordpress, but I didn’t want to lose my existing configuration. So I had to find out how to switch from the Ubuntu version out of the repositories to the official WordPress release. Continue reading
I just wrote a small Webservice that creates a nicely formatted list of references in PDF format from a raw BibTeX file. I have needed that a few times already. Since I was cleaning up my computer and didn’t want to lose the functionality, I “outsourced it to the cloud”, so to speak :)
(shamelessly copying the style of Randall Munroe of XKCD fame)