Network Manager disabling Virt-manager’s bridge

This doesn’t work, and it’s filed as bug 1099949 in Ubuntu. So we’ll see how that goes.

As of about six hours ago, I’ve had this regularly popping up in my syslog:

Jan 13 20:13:54 amazing NetworkManager[1347]:  (virbr0): device state change: unavailable -> disconnected (reason 'none') [20 30 0]

virbr0 is the bridge created by virt-manager for its VMs to communicate on and, franky, NetworkManager has no business doing anything to it, let alone disconnecting it (especially when it doesn’t know why it’s doing it).

Fortunately, NetworkManager has an unmanaged-devices option that you can put in the irritatingly-capitalised file at /etc/NetworkManager/NetworkManager.conf. It belongs in the keyfile section (so you need to make sure keyfile is listed under plugins:




Annoyingly, there doesn’t appear to be a ‘managed-devices’ configuration, and virbr0’s mac address changes from time to time. So far, sticking this at the end of /etc/rc.local to get the mac address of virbr0 and replace the old one in that file seems to be working:

#! /bin/bash

echo -n "Before  : "
egrep '^unmanaged-devices' /etc/NetworkManager/NetworkManager.conf
mac=$(ifconfig virbr0 | grep HWaddr | awk '{print $NF}');
echo "New mac : $mac";
perl -pi -e "s/^unmanaged-devices.+/unmanaged-devices=mac:$mac/" /etc/NetworkManager/NetworkManager.conf
echo -n "After   : "
egrep '^unmanaged-devices' /etc/NetworkManager/NetworkManager.conf

Half an hour in, I’ve still got network connectivity on my VMs! :)

Finding exploited wordpress pages

WordPress seems to be hilariously easy to compromise (this might be a bad place to write that) and the general form of an exploit is to inject code like this

< ?php $a = base64_decode(YSBsb25nIHN0cmluZyBvZiBiYXNlNjQgdGV4dAo=.......);

right at the top of a script. base64_decode is rarely used by the Good Guys outside of mailers and doing tricks with images, but it's almost never found right at the top of a script. I did write a really convoluted script that found calls to base64_decode and exec and guessed whether they were nefarious (generally, for example, base64_decode is called with a variable (base4_decode($mailBody)), not just a string (base64_decode(dGV4dAo=)) but that just ate all my I/O and didn't really work.

So I came up with a much cruder way of doing it. Have a script called ~/bin/base64_in_head

#! /bin/bash
head $file | grep base64 2>&1 >/dev/null || exit 1;
echo $file
exit 0;

And then run it like this:

$ ionice -c3 find /home/user/public_html/ -name \*.php -exec ~/bin/base64_in_head {} \;

I’ve not yet had a situation where that’s missed a file that later manual greps have found.

Allowing uploads of arbitrary files in MediaWiki

I did RTFM and I did what it said, and still my Mediawiki complained when I tried to upload executable files and things with funny file extensions or mime types. if $wgFileExtensions is empty but $wgEnableUploads = true and $wgStrictFileExtensions = false it should just let me upload anything. I can’t think what other behaviour one would expect there, but set like that I can’t upload my dodgy files.

So I’ve removed the code it uses to check.

Here’s a pair of diffs if you’d also like to do this. These are on version 1.17.0 but I suspect it’s not changed very much.

This just comments out the two blocks of code in UploadBase.php which check whether files are considered safe and warn if they’re not – it prevents the checking and the warning:

wiki:/home/wiki/public_html# diff includes/upload/UploadBase.php includes/upload/UploadBase.php.bak
< // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
< //            // Check whether the file extension is on the unwanted list
< //            global $wgCheckFileExtensions, $wgFileExtensions;
< //            if ( $wgCheckFileExtensions ) {
< //                    if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
< //                            $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
< //                    }
< //            }
< //
>               // Check whether the file extension is on the unwanted list
>               global $wgCheckFileExtensions, $wgFileExtensions;
>               if ( $wgCheckFileExtensions ) {
>                       if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
>                               $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
>                       }
>               }
< // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
< //            /* Don't allow users to override the blacklist (check file extension) */
< //            global $wgCheckFileExtensions, $wgStrictFileExtensions;
< //            global $wgFileExtensions, $wgFileBlacklist;
< //            if ( $this->mFinalExtension == '' ) {
< //                    $this->mTitleError = self::FILETYPE_MISSING;
< //                    return $this->mTitle = null;
< //            } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
< //                            ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
< //                                    !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
< //                    $this->mTitleError = self::FILETYPE_BADTYPE;
< //                    return $this->mTitle = null;
< //            }
< //
>               /* Don't allow users to override the blacklist (check file extension) */
>               global $wgCheckFileExtensions, $wgStrictFileExtensions;
>               global $wgFileExtensions, $wgFileBlacklist;
>               if ( $this->mFinalExtension == '' ) {
>                       $this->mTitleError = self::FILETYPE_MISSING;
>                       return $this->mTitle = null;
>               } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
>                               ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
>                                       !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
>                       $this->mTitleError = self::FILETYPE_BADTYPE;
>                       return $this->mTitle = null;
>               }

And this just stops Setup.php making-safe the $wgFileExtensions array by removing whatever’s in $wgFileBlacklist from it, which I think wouldn’t complain had I not already done Bad Things to those two variables, but it’s late and it can’t hurt to turn this off, too:

wiki:/home/wiki/public_html# diff includes/Setup.php includes/Setup.php.bak
< // ## Avi Commented this out so we can upload whatever we like to our server. That was nice of him
< //# Blacklisted file extensions shouldn't appear on the "allowed" list
< //$wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
> # Blacklisted file extensions shouldn't appear on the "allowed" list
> $wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );

Fail2Ban and date formats

Fail2Ban is utterly daft in at least one respect. Here’s me testing a regex on a date format it doesn’t recognise:

# fail2ban-regex '2010-12-14 15:12:31 -' ' - <HOST>$'
Found a match but no valid date/time found for 2010-12-14 15:12:31 - Please contact the author in order to get support for this format
Sorry, no match

And on one that it does:

fail2ban-regex '2010/12/14 15:12:31 -' ' - <HOST>$'

Success, the following data were found:
Date: Tue Dec 14 15:12:31 2010
IP  :

Date template hits:
0 hit: Month Day Hour:Minute:Second
0 hit: Weekday Month Day Hour:Minute:Second Year
1 hit: Year/Month/Day Hour:Minute:Second
0 hit: Day/Month/Year:Hour:Minute:Second
0 hit: TAI64N
0 hit: Epoch

Benchmark. Executing 1000...
Avg: 0.10257935523986816 ms
Max: 0.125885009765625 ms (Run 8)
Min: 0.10085105895996094 ms (Run 780)

Ignoring for the moment the fact that it doesn’t recognise 2010-12-14 15:12:31 (Seriously?)1 , the only way to get that list of date formats is by happening to pick a correct one. As soon as you no longer need a list of date formats you may use, it presents you with one.


So, as an attempted fix for this situation, see above for a list of compatible date formats.

  1. It’s worth noting, too, that the author is of the opinion that specifying your own date format is too much like hard work, so if you want support for any date format other than those already supported, you’ve to patch it yourself. Which is obviously way easier than just having a date regex in the config file []

UI Fail: scanpst.exe’s incompatibility

Sometimes, on trying to scan a PST with MS Office’s bundled scanpst.exe, you get the below error:

"An error has occurred which caused the scan to be stopped"

And a log that ends:

Fatal Error: 80040818

What MS meant to say was:

You’re scanning an Office 2003 PST file with the scanpst tool that shipped with Office 2007. For some reason, we decided that while Outlook 2007 can cope with both, scanpst can’t

In an attempt at usefulness:
On my WinXP/Office 2007 box, scanpst is at C:\Program Files (x86)\Microsoft Office\Office12\SCANPST.EXE and downloadable here.

On our Server03/Office03 box, it’s at C:\Program Files\Common Files\System\MSMAPI\1033\SCANPST.EXE1 and downloadable here.

I’ve no idea if these downloads are of any real use. Try them and see.

  1. I’m told the ‘1033’ pertains to geographic location, but I’ve no real idea. Browse if it’s not there. []

Joining the Canonical =~ Microsoft fray

I’ve had this knocking about for a while in various forms. Following TheOpenSourcerer‘s post, I figured I’d get it in while he’s getting the flack.

About a year ago, I remember there being some rejoicing at the prospect of Canonical open-sourcing Launchpad, their bug/issue/ticket tracking web application. I also remember being a mite confused by it. Canonical is the company behind Ubuntu Linux, the popular open source operating system. Surely they, of all people, had opened the source from the start? What does it say when the company most loudly and successfully pushing open source as an efficient means of software development to your average computer user, develops its in-house software behind closed doors? And, accepting that, why is opening the source means for rejoicing? It is surely the belated Right Thing To Do. If anything, the response should have been along the lines of “Why so long?”

More recently, I decided that a hodge-podge of scripts to keep my files in sync between PCs wasn’t a good idea, not least because it didn’t actually work, and since my home PC and my laptop were both Ubuntu, and Ubuntu One seemed easy enough to install, that’d do the trick. So I installed it and started using it. Then I decided to get my work PC in on the game. And find this message:

Requirements: Because we want to give everyone using Ubuntu One the very best experience, we require that you run Ubuntu 9.04 (Jaunty Jackalope) or higher.

Which is something I don’t think I’ve come across before – a Free Software company producing software and inventing restrictions. Why shouldn’t Ubuntu One work on my Debian desktop?
This incompatibility for the sake of it is something I remember from Windows, and it’s not a good memory. I know it’s possible to write a client for it – the client is at least open source – but the message that I am required to use Ubuntu to use it? What good does that do anyone?

Most recently came the news that on the netbook edition Canonical have decided to drop (which *is* undeniably bloated) and use Google docs in its place. Google Docs is completely proprietary. It’s about as closed source as software can get, since you can’t even study its behavior, only those interfaces you’re permitted with it.
Why wasn’t AbiWord used, with it’s online service, for example? Or a pared down OpenOffice, perhaps? Canonical has shown in the past that it has the developer hours to make fantastic, awesome, changes to software. Why not do that now?

Ubuntu is the most popular desktop Linux distro. I’m sure there are ways of counting such that Fedora wins, but if something’s packaged for Linux, it’s available in a Ubuntu-pointed deb. And so it occupies a unique position for free software – it’s an opportunity to be a fantastic demonstration of what is possible with free software. It is possible to make commercial progress without restricting user freedom, and it is possible to make a wonderfully usable operating system under these conditions.

Except Ubuntu’s not demonstrating that. It’s showing that using a billionaire benefactor and a bunch of closed source software we can turn a free operating system into a mostly-freeish wonderful one.

And I’d rather like Canonical to stop doing that, and get back to making free software look good.

Android Issues

Some of this might well be rendered obsolete by the 1.6 update I’ve just received.

GMail Client
No bottom- or inline-posting, only top-posting. And, while you’re at it, there’s no way to read the quoted text while replying.
You have to read to the bottom of the email to get to the reply button, which is an odd move from someone who promotes top-posting. It’s not even in the Menu.
There’s no way of editing Labels or Filters.

This is very different to the GMail one, I don’t know why.
It also doesn’t honour read/unread flags in IMAP folders, and I continually get notifications that I’ve got new mail that arrived six months ago.

To set the date in the calendar you have three boxes, year, month and date1 which are adjusted by either entering in the date, or a + and – button on each. This is fine when you don’t go over a month boundary, at which point it gets confusing. Since nearly everything I plan is for ‘next wednesday’ or so, about one in four of my appointments require more thinking than I think they should.
There’s no way to add calendars that are not already available to the www version of your calendar.

Google Docs
Editing documents is possible, but creating for some reason isn’t. Also, no control over labels.
As in Mail and Calendar, there are web versions of these optimised for the Android screen, but they’re similarly crippled.

When viewing the contact, everything that has a number has a ‘call’ and a ‘text’ option, which fills the screen with never-used options.

When entering a name into the To: field, the first suggestion is as if you were writing a word with a keypad. For example, entering ‘mum’, the first option is ‘686’
Once you’ve scrolled past the useless entry and selected the one you want, the field is populated with name . Which is only an issue if you want send a message to more than about ten people, since you run out of characters in that field.
Enter is send. This is not a problem, but I _never_ remember and send multiple messages when I mean send.

Google Maps
When selecting start and end points for directions, recently chosen points are arranged alphabetically, not in the order in which you used them. And they’re not named by how you searched for them, but by what Google calls them.

Everything’s Massive
Google took a very straightforward approach to lists and fingers – make the buttons huge. I’d like more than two options per screen, though, and I think varying the length of the buttons would be a better approach.

  1. The order is configurable []

Removing user list on Ubuntu Karmic log-on screen

This doesn’t work any more
Install XDM instead. ;)

Karmic ships with a new version of GDM (2.28) which is rewritten, and by default presents a list of usernames, in much the same way as XP does by default. Lots of people dislike this. It’s also currently lacking a graphical config tool (it is in beta…).

To change it, run this:

# gdm gconftool-2 --set --type boolean /apps/gdm/simple-greeter/disable_user_list true

This, I feel, is non-ideal since it just replaces the users list with a ‘log in’ Window and button which is completely superfluous – if I’m at the logon screen, I probably do want to log onto the PC, and the most logical thing for it to do is to be already asking for my username, ideally with that text box in focus. The previous login screen was pretty much ideal, and I’m not sure what benefit the new one has.


UI Fail: Windows XP ‘runas’ dialogue box

On right-clicking an executable1 in XP and choosing `Run As…’, you are presented with the below box.

How on earth is ‘Current user’ a reasonable default value? If I wanted to run it as me, I’d just double-click it…

  1. Though not every executable. If you want to run something in the control panel, probably the most common place to want to runas, you need to shift+right-click. Several MSI files don’t do it, and nor do any apparent CAB files. Let alone the inability to directly open a non-executable file as someone else. []

UI Fail: Windows XP font importing

Sometimes, you’re replacing a PC for someone, and they notice afterwards that a bunch of cool fonts, the names for which they’ve forgotten1. “No bother”, one thinks, “I’ll just copy and paste the contents of c:/Windows/fonts across from one PC to the other”.

“And then I’ll click ‘OK’ 296 times because “Yes to all” still hasn’t made it into MS’s vocabulary.

WinXP's mass font import UI

  1. quite understandably. font names are never sensible []