So I've recently started using Linux on my Desktop full time again. All
because of Gnome 3.
I've abandoned Linux on my Desktop at home a few years back, and started
using OS X full time. I got a PPC Mac Mini, then an Intel Mac Mini and
finally a MacBook. I was fairly happy with it: Fancy UI with a nice CLI to
it to fiddle around on.
Good Bye Apple
A couple of months back though i started to grow tired of Apple and it's
behavior in general. The Company has grown from Cool Underdog to a Mega
Company, and that definitely shows. IMO they're becoming the Microsoft of
the 90's, using their market dominance in some areas to pressure little
companies out of business.
The past few months also felt like Apple's primary focus are their
iSomething Devices, and they don't care about OS X much anymore.
With all the recent updates to iTunes, which I've grown to absolutely hate
as an application, their App Store for OS X and their apparent intentions
to turn the Desktop into a Touch UI, I'm not very big on the whole
gestures notion. I finally decided to give up on it all together.
(No, you can't have my stuff, I've already sold all of it)
Windows 7 as intermediary
For some time i was using Windows 7 exclusively on my desktop at home and
notebook. Windows 7 is a good OS, but as a Unix person it is severely
lacking in a number of areas.
Microsoft is also severely lacking in the innovation department.
They need to get their act together and get some good updates out again.
Their image is crap these days, and if they don't turn around, i wouldn't
be to surprised if they didn't matter in a couple of years anymore. Even
their
primary enterprise market is slowly shifting away from them.
It'd be a shame if we'd end up with a new dominant player (Apple or Google
for example) merely replacing Microsoft. We need to keep the competition,
to keep these
Mega Companies in check.
Hello Gnome
Fortunately for me Gnome 3 arrived. I started using it at work (Fedora 15
Betas) and when it got released i put
Archlinux on my Desktop and haven't
looked back yet.
I still occasionally boot Windows on my Notebook to edit Photos in
Lightroom, but that's allright. I've tried
Bibble
but i am to used to Lightroom to make the switch.
In essence i have made a complete turnaround: From Linux to Mac OS X to
Windows and now back to Linux.
Let's see how long it'll last this time.
Some good to know things on Gnome 3
- Gnome 3 Cheatsheet: link
- Gnome Shell extensions:
link
- Gnome Tweak Tool for some advanced Settings:
link
Enable Focus follows Mouse in Gnome Shell:
gconftool-2 -s /apps/metacity/general/focus_mode sloppy --type string
Changing a user theme with the extension installed (Older versions of the
Tweak Tool didn't really work for me):
gsettings get org.gnome.shell.extensions.user-theme name # Get current
gsettings set org.gnome.shell.extensions.user-theme name Zukitwo # Set one
gsettings reset org.gnome.shell.extensions.user-theme name # Reset to default
So, how do you build an interface to post content for your selfmade Blog app if you actually don’t really want to?
Easy: You don’t!
I’ve been looking around for inspirations on how to build a interface to
put posts on my selfmade website. Thing is
though: Input validation is tedious and error prone. Even if i am the
only person who will ever use this interface, i’ll still manage to trick
myself. Encodings, Character Sets, HTML Editing etc, then i’d like to
post Images and Photos and other Media stuff. Building a frontend for
that is a tedious task.
So, why bother?
Posterous to the rescue
While looking around i stumbled over tumblr and
posterous both providing a blogger like service
that:
- Doesn’t run on Wordpress. I’ve grown old and tired of it.
- Both have slick looking and quick interfaces.
- Neither want to know when your mothers, best friends niece had it’s
last teeth pulled while signing up.
- Both allow posting Markdown content via Email, and they both obviously
have rich text editors to edit your posts afterwards.
What Posterous also has is the ability to distribute content to various
other sites.
That and Posterous didn’t present the site in german to me unlike
Tumblr. I know german, sure, but i don’t want to. My browser says “Give
me English Please”, so why send me a german page? I absolutely HATE
it when sites do that.
My Content is Mine
Posterous has a simple, yet usefull API
that allows me to get my Content back and put it on my site. It also has
a comments API where i can feed the comments from posterous back into my
database. That way everything i create is under my control, and i can do
with it as i see fit. If for some reason the site starts to bother me, i
can just delete my account. I will keep my content.
Punch line is: I can use Posterous wonderful interface and features to
produce and distribute content, and then just pull it back into my Site.
Here’s the
Code
to it. It lacks importing comments, but that’s not that urgent.
Triggering the importer
Once posted, Posterous sends a mail back to confirm that something went
live. Why thank you, I can use that!
A little procmail action:
:0
* ^From: .*post@posterous.com.*
{
:0 c # Trigger an Update
! USER=cbeerta PASSWORD=thoughshallnotknow php index.php --import-posterous
:0 # and store it (for now)
$DEFAULT
}
And the post will be added to my page immediatly. Nifty.
Bots usually operate in a fairly similar way to get onto your server:
- They exploit a known vulnerability in a PHP script to inject some code
- This injected code is usually very simple, downloading the Trojan from a remote address with curl or wget to a temporary directory
- After the Trojan has been downloaded, it is then being executed through the PHP vulnerability
A method I've employed in the past to at least stop these automated spreads of Trojans is by adding iptables rules that forbid the User that the Web server is running as to do any connects to the outside world:
# Allow Everything local
iptables -A OUTPUT -o lo+ -A OUTPUT -o lo+ -A OUTPUT -o lo+ -m owner --uid-owner 33 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m owner --uid-owner 33 -j ACCEPT
# Allow DNS Requests
iptables -A OUTPUT -p udp -m owner --uid-owner 33 -m udp --dport 53 -j ACCEPT
# Allow HTTP Answers to clients requesting stuff from the Web Server (HTTP+HTTPS)
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 443 -j ACCEPT
# Log everything that gets dropped
iptables -A OUTPUT -m owner --uid-owner 33 -m limit --limit 5/sec -j LOG --log-prefix "www-data: "
# and finally drop anything that tries to leave
iptables -A OUTPUT -m owner --uid-owner 33 -j REJECT --reject-with icmp-port-unreachable
# Force outgoing request through http proxy on port 8080
iptables -t nat-A OUTPUT -p tcp -A OUTPUT -p tcp -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
"But now all my RSS Clients, and HTTP Includes won't work anymore"
There is two ways around the fact that now nothing on your web server is allowed to talk to the evil internet anymore:
- Insert `ACCEPT` rules into the iptables chain to the destinations you want to allow. This method is tedious, and error prone as you need to constantly be aware what ip's the services you're using have and update your iptables rules accordingly.
- Using a simple HTTP Proxy to pass through the requests you want to allow.
I've always preferred the HTTP Proxy method, while it may be a bit more work to setup in the first place, the added security is worth it, since you can allow on an url basis you don't need to worry about the remote side changing ip's anymore, as well as that if you allow ip's with iptables, people can upload their Trojans to these web servers and bypass all your fancy protection.
A good proxy to use that allows for extensive filtering and is still small footprint is Tinyproxy, a few settings you want to tune are:
# Only Listen on Localhost
Listen 127.0.0.1
# Allow requests from your local server only
Allow 127.0.0.1
Allow <Official IP Address of your server>
# Enable Filtering, and deny everything by default
Filter "/etc/tinyproxy/filter"
FilterURLs On
FilterExtended On
FilterDefaultDeny Yes
Looking at your Tinyproxy logfiles, you should now see requests beeing denied if you access a page on the Web server that tries to include external resouces:
CONNECT Aug 01 05:11:57 [16731]: Connect (file descriptor 7): aello.beerta.net [207.192.69.25]
CONNECT Aug 01 05:11:57 [16731]: Request (file descriptor 7): GET /1.0/user/cb0amg/recenttracks.rss HTTP/1.0
INFO Aug 01 05:11:57 [16731]: process_request: trans Host GET http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss for 7
NOTICE Aug 01 05:11:57 [16731]: Proxying refused on filtered url "http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss"
INFO Aug 01 05:11:57 [16731]: Not sending client headers to remote machine
Voila, my Wordpress installation tried to grab the recent track RSS from last.fm, i want to allow that so I'll just add this to my Tinyproxy filter rule:
^http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss.*
^http://backend.deviantart.com:80/rss.xml.*
^http://rest.akismet.com:80/.*
Now anything you want your Web Server to access, you can simply add to your Tinyproxy filter.
Remember though, this is not a blanket protection against any software flaw that exists! You should still keep your software updated at all times.
I don't know if i just suck at understanding other people's (php mostly) code, but i frequently find myself slapping my forehead while reading code other people produce. I don't say i'm a lot better at it, and i know that, that''s why i would never ever put my crap code online for other people to use and work with.
I''m on the search for a Wiki Software (more a Wiki Class) that i can use to start writing something that is in my head, and i don't currently want to write my own Wiki just for that. (I wonder how long i can withstand that urge though). While going through the numerous PHP Wiki's that are available, i'm getting more and more frustrated.
Just an example of what i feel is just bad:
@ini_set('session.use_cookies','1');
@ini_set('session.use_only_cookies','1');
@ini_set('url_rewriter.tags','');
@ini_set('session.use_trans_sid','0');
@ini_set('display_errors','on');
@ini_set('default_charset',wc_charset);
@ini_set('mbstring.func_overload','7');
@ini_set('mbstring.internal_encoding',wc_charset);
@ini_set('mbstring.internal_encoding',wc_charset);
Please don't do that, it will drive poor Admin's insane trying to figure out why the settings in your precious php.ini don't seem to work. (Especially enabling display_errors inside the code somewhere is just a no-go, and who knows what the software does if i forbid ini_set in my php setup)
Having a full page of require's, that point to 5 line classes is bad. Having everything just in one single file is not the way to go either, and having 50 lines of Documentation for an absolutely obvious function that is exactly one(!) single line of code, against having not a single line of comments for a 50+ line function is just silly. Either document properly, or don''t document at all!
Writing entire functions in a single line that even grows out of my editor window (which is 200 chars wide) is bad. Having 10+ functions of those beneath each other makes me sad.
After opening another php file, and seeing this:
foreach($_GET as $key => $value){if(in_array($key,$export_vars)){$$key = $value;}}
foreach($_POST as $key => $value){if(in_array($key,$export_vars)){$$key = $value;}}
i immediatly quit my editor and rm -rf the thing. You know Spaces don't cost extra money to use in Sourcecode.
/*
Yes, most of the formatting used in this file is HORRIBLY BAD STYLE. However,
most of the action happens outside of this file, and I really wanted the code
to look as small as what it does. Basically. Oh, I just suck. :)
*/
At least they're honest with that statement. AND OH BOY IS HE RIGHT! (rm -rf)
Wow:
The ErfurtWiki engine is fully contained in one script file, but almost 200 feature enriching plugins and extensions modules are available.
Guys, THAT IS NOTHING TO BE PROUD OF! 130KB of Code! That's a whopping 4000 Lines! Aaargh!
I've got a headache now, and i still don't have anything that i can use.
It''s not all bad though. Take a look at the source of coWiki. It is nicely structured, has _usefull_ comments in the code, and is beatifully indented.
I think i will just use the Markdown class, and start writing code around that.
