Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
Wed, 28 Nov 2012
SOAP::Lite
Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.
For example, look at this:
HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
BEGIN {
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
}
So apparently the only way how to use Basic authentication is to override
a global function in some foreign namespace. And what to do when I want to
use two SOAP servers with two sets of credentials inside a single application?
There are more similar "features" in SOAP::Lite. For example, tracing can
only be set up globally in compile-time, or by manually calling ->import().
My dear lazyweb, is there a SOAP module with cleaner design?
Update - Wed, 28 Nov 2012: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication
and tracing at the transport level - the transport module here is
LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:
$soap->transport->add_handler(
request_prepare => sub {
shift->authorization_basic($login, $pass);
},
);
$soap->transport->add_handler(
request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
response_done => sub { print STDERR shift->content; },
);
I wonder why the SOAP::Lite manpages suggest such dirty ways
of handling this (and I have not even started mentioning things
like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global
variable; ugh)
Tue, 27 Nov 2012
Cookies Auth and 403 Forbidden
In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.
When the yet-unauthenticated user accesses an URL for authenticated users only,
Apache2::AuthCookie returns the HTTP response with "403 Forbidden"
status code, and with text/html body containing the login
form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive.
So the user fills the login form, submits it, and the server returns the real
page for that URL, this time with "200 OK" status code.
This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with
the following two use cases:
- Nokia Symbian-based phones. After receiving 403 from the server, they display their own error message, and ignore the returned HTML altogether (except for the page background :-).
- Microsoft Word. When the link to the authenticated page is embedded inside the Word document, and user ctrl+clicks it, Word apparently starts MSIE to get the page. However, in this special case MSIE does not display the login form after getting the 403 status, but reports the error to its caller (MS Word) instead. So Word displays a generic error pop-up to the user, without the user being able to log in.
What to do now? The problem is clearly in the HTTP status code 403, and in its
mis-interpretation by some clients. I don't want to return the login form
in a 200 OK response, because I need e.g. the web crawlers to know that this
is not actually the page they tried to access. As for Symbian, they can be
clearly identified by their User-Agent string, so I can
return 200 OK only for them. But as for MS Word, I have no clue: what I see
is the request made by MSIE (and again, I probably don't want to return
200 OK to every unauthenticated MSIE request).
Any other suggestions, my dear lazyweb?
Mon, 12 Nov 2012
Desktop Environment-Specific Apps
I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.
So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?
That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).
Fri, 12 Oct 2012
Failed SSD
Yesterday I went to a meeting and brought my laptop with me. I made
notes to a text file, and after the meeting closed the lid (my laptop
is configured to suspend then) and went away. After returning to my
office I have opened my laptop and seen only error messages from
the sda drive.
The drive was totally dead, and did not work even in another computer.
After plugging it in the SATA controller only printed something like
"resetting SATA channel", so it did notice something has
been plugged in, but nothing more. I had to teach my UNIX course in two
hours, so I had to quickly find a replacement, install a new system,
and configure it for presentation. Fortunately, I had a "spare" 2.5" drive
prepared as a replacement of the root FS of my workstation. So I deleted
the already configured system for my workstation, and used that.
Have you anybody seen a similar problem? The drive was "iops-optimized" OCZ Vertex II, about a year old. Fortunately, I use LUKS, so I can send it back to the vendor without worrying about my data.
Mon, 06 Aug 2012
Enterprise Bug Fixes
Today, an unimportant but interesting bug #313291 has been fixed in RHEL 5. Here is the timeline:
- 2007-09-30: I reported the bug.
- 2007-10-03: The package maintainer found the upstream change which fixed the bug.
- 2007-10-05: I have verified that this trivial patch fixed the bug for me.
- 2012-08-06: The errata and the fixed package have been released.
I am grateful that the bug has been fixed after all this time,
but I don't use RHEL 5 anymore, and mutt in RHEL 6 got the fix
from the upstream.
I wonder why they even bothered to fix the bug after so much time,
and even release the new mutt package fixing this single bug.
This is not a complaint, this is hopefully an interesting insight to
the release process of RHEL packages. Maybe some high-profile customer
wanted this bug fixed. Who knows?
Mon, 02 Jul 2012
404: /undefined
In IS MU, we log and evaluate errors in HTTP
requests, including "404 not found". When the Referrer header
points back to our site, we try to look for a broken link.
Recently (last month or so), strange 404 requests started to appear in our
log file:
These requests point to the location /undefined, with referrer
being our root document, /. And the referrer is not fake,
there is always a successful request to / from the same IP
address from several seconds ago. Occasionally we get similar 404 requests,
pointing to /lide/undefined, or /vyhledavani/undefined,
with referrer being /lide, or /vyhledavani.
We are not able to reproduce the problem. It is not User-Agent-specific
(altough most of the User-Agents with this problem are Chrome), and it
is not deterministic: we got tens of these 404 requests daily out of
milions total requests (and out of tens of thousands of requests to the
title page). These requests are always for a non-authenticated page, and
always for a page which is a directory (i.e. which is represented by the
index.html or index.pl document in that directory).
I think it is related to some Javascript we include to the title page - maybe JQuery, maybe Google Analytics. I have tried to remove the Google Analytics Javascript from our title page for a day, but it did not make the problem disappear. Also, our git log from the time these requests started to appear does not show anything related. We have found the following possibly related discussions:
- http://productforums.google.com/forum/#!category-topic/analytics/discuss-tracking-and-implementation-issues/oqEgEM3rc8M
- http://stackoverflow.com/questions/11017609/undefined-randomly-appended-in-1-of-requested-urls-on-my-website-since-12-jun
So, my dear lazyweb - any ideas what can be the cause of this behaviour?
Update - Tue, 03 Jul 2012: It is probably AJAX
Yesterday have added a new image to the 404 page which meets the above
conditions (location ending with "/undefined",
referrer being the location minus "/undefined"), and
so far after > 12 hours I see exactly zero accesses to that image
in my Apache logs. So this error is most probably caused by something
that users can't see, i.e. AJAX requests. Not the window.location
modification that himdel suggests in the coments.
Fri, 18 Nov 2011
Google Authenticator
For some time, I have been considering adding two-factor authentication to my systems in order to prevent break-ins in case somebody's workstation is compromised (which is a common attack vector these days). One of the systems for one-time passwords is Google Authenticator.
G-A has an application for many smart-phone platforms (Android, iOS, Blackberry), and has a PAM module, which is even packaged in Fedora. It stores users' secrets in a file in the home directory, and uses 6-digit time-based passwords and 8-digit emergency scratch passwords. The configuration in Fedora is pretty straightforward:
yum -y install google-authenticator- In
/etc/pam.d/system-authandpassword-auth, changepam_unix.sofromsufficienttorequired, and after that line, add the line which reads "auth sufficient pam_google_authenticator.so". - Install the G-A application to your smartphone.
- Generate a new key using the
google-authenticatorcommand. - Add the key to your smartphone, either directly or using a QR code.
- Profit!
There are several problems with SSH-daemon, though:
- With SElinux enabled, it does not work.
- When public key authentication is allowed in
sshd_config, it also does not work (use "PubkeyAuthentication no" in/etc/ssh/sshd_configand restartsshdif you want to test it).
Especially the second problem is pretty serious, as I wanted to allow also public key + one-time password authentication there.
So, my dear lazyweb, what kind of two-factor authentication do you use?
Mon, 03 Oct 2011
Dear Customer,
[...] we would also like to inform you about the following change
in your network: a new address has been assigned to you:
2001:4cc8:...::/64.
Netbox apparently supports IPv6 now. Yay!
Wed, 15 Jun 2011
High-Performance HTTP Servers
Yesterday I have read about Apache Traffic Server. My dear lazyweb, do you use something like that (or Nginx)? What is your main reason for using it? I wonder why use user-space solution, when IPVS works pretty well for load balancing.
Tue, 24 May 2011
Mysterious Source Code
About a month ago, I have spotted a two-page listing of source code in our printer room/kitchenette. I have glanced over it briefly, and during subsequent visits to the room, I became more and more fascinated by it. Finally, about a week ago, I have grabbed it for myself, because nobody seemed to care about it anymore. So here it is, in all its glory:
Click the thumbnails for full-size images. Sorry for not providing a plain text version, and sorry for the Czech language in the comments. I have two reasons for which I find it really fascinating:
- There are two pages of source code, which does literally nothing. It only wraps an existing class with a new one with marginally different API (two exceptions joined into one exception, and retrying in case of failure). Nobody sane would write these two pages by hand, so I expect the code has been at least partially generated by some IDE. Obviously nobody can expect the code to be read by a human (actually, not read, but carefully examined for traces of some non-trivial application logic, should there be any). So I wonder what the present meaning of "the source code" phrase is, when it is no longer written nor readable by humans.
- The only real "application logic" is the
for-cycle near the end of the second page. And even this has been totally destroyed by the "every block should have only one exit point" mantra of the programming theoreticians. Adding a simplereturnstatement when the message sending finally succeeds would save them the following:- a boolean variable
- a complicated condition in the
for-cycle - an
ifstatement when the maximum number of tries is reached
I can only hope this is some kind of a silly example and not a real assignment given to the students of the Programming in Java course. I think the students have to be taught that mid-layers are root of all evil, and not some highly theoretical (read: impractical) rules like "goto is evil" or "a single exit point only".
Mon, 23 May 2011
Lost GUI features
Contemporary GUI applications have several problems which, if I remember correctly, previous systems did not have. I wonder whether somebody else also considers it being a problem:
- Creating a new file
- Almost every TUI text editor (like
vim) happily accepts a non-existent file
as a command-line argument, and the straightforward interpretation is
"user wants to start working with a new file". On the other hand,
most GUI applications simply complain that the file does not exist,
and some‒like OO.org‒exit after that
message. Other GUI apps,
like Gnumeric, present
a warning, but then open a new work with the default file name
(
Book1.gnumericin the case of Gnumeric) instead. - Working directory
- The file open/save dialog of contemporary GUI apps does not offer
by default the working directory from which the application has been started,
and uses some silly default (such as
~/Documentsin case of OpenOffice.org). Even gThumb needs to be explicitly told that the user wants to browse the current directory with the "gthumb ." command line. - Iconified applications
- Once upon a time, in a stone age of GUI computing, there was a twm window manager. When the application window was not needed on the screen, twm could be used to iconify the application. All applications, and all instances of them, could be iconified and then restored back the same way. Then Windows 95 happened, and it started to minimize the applications to the bottom panel instead of iconifying them to any place in the desktop. It also reused the desktop icons as application shortcuts instead of representing the minimized running applications. Unfortunately, the panel was too small for so many running minimized applications. Users stopped expecting to be able to restore the application after minimizing it. The applications which required to be minimized and restored back frequently (music players etc), developed their own means of minimizing, the notification icon area. So we have the iconification back, only not usable from all applications, and with each application implementing it in its own crappy way.
So what other important features of the "desktop of the past" do you consider missing from the present GUI systems?
Update - Mon, 23 May 2011: Iconified Apps
I have just discovered that XFCE4 in Fedora 15 allows the desktop icons to be switched between the Application launchers/shortcuts and Minimzed applications modes. Yay!
Fri, 20 May 2011
GNOME 3
After installing Fedora 15 in a virtual machine, I have decided to give GNOME 3 a try. Firstly, it is really slow over VNC. While GNOME 2 has been pretty usable for testing various new applications in a virtual machine, under GNOME 3 it is almost impossible. Here is a screenshot on which I will demonstrate my problems with GNOME 3:
Firstly about the file manager. I use mostly command line for managing
my files, but using a file manager is sometimes handy nevertheless. One
of the features I often use is the "Places" list. In GNOME 3, it is presented
differently in the Places menu and in the file manager itself, which
is a clear usability bug. When I wanted to add another directory there
(I often use ~/tmp as my sandbox),
it took me at least 10 minutes to discover
that "Bookmarks" is what I probably want. And even then, the newly added
bookmark is added to a submenu instead of the main Places menu.
Also, I did not found any way how to remove those useless predefined
directories like Videos, Music, etc.
from the left sidebar. Even when I have deleted them from my home directory,
they still remain in the sidebar.
Another ugliness is that the new window manager does not decorate the windows properly, and instead relies on the applications themselves to provide things like resizing handle in the lower right corner (see the gnome-terminal window). Not only it looks ugly as hell, it also obscures the space the application expects to be visible. I will probably file this as a bug report when F15 is officially released, but I expect in a truly GNOME-ish fasion it to be solved by removing the "scrollbar on the left side" option :-/.
Anyway, it seems that XFCE+Sawfish combo works as expected, so I am definitely leaving GNOME when I install F15 on my workstations.
Tue, 03 May 2011
Rethinking Cron
cron(8) is one of the oldest tools in UNIX. Despite of that,
I think cron is not something to be proud of. In my opinion, it
falls to the unfixable designs
category.
The recent attempts to fix it (factoring out atd(8),
a dirty hack that is anacron(8), etc.) show some of the problems
of cron. My recent experience confirms it:
This is the load average graph from our server, which runs periodical jobs of
IS MU. Around 2 pm, I have rewritten the
main crontab joining several similar tasks to one line, and adding several
seconds delay between their startup. The groups of tasks are now started by a
simple Perl script which handles redirecting STDOUT and STDERR, and handling
the return code. The Perl script is started using exec in the
crontab line, saving one more process.
This way, I have managed to get the number of jobs which are
simultaneously started in the peak minutes of an hour from 155 to 13.
The system does exactly the same amount of work as before, but most of the
work is evenly distributed across the whole timeframe, not started in parallel
the first second of a minute.
This is one of the big weaknesses of cron. I think the future
cron will need to support the following use cases:
- Starting jobs approximately in a given period, but not exactly at the beginning of a minute.
- Starting jobs the given period after the previous instance has finished (and maybe warn if the previous instance keeps running for too long time).
- Run the job weekly, near the beginning of the weekend (not at some random
time as
anacronand/etc/cron.weeklydoes). See Fedora bug #671076. - Start a job several times in parallel (depending on number of CPUs or something like that), and restart them after some of them finishes.
What periodical and semi-periodical tasks scheduler do you use? Will
systemd
be the answer to these problems?
Fri, 01 Apr 2011
git-diff(1) Dark Color Scheme
The default colored output of git-diff(1)
and other commands is a bit ugly in my terminal with dark (green-on-black)
color scheme. Here is how to fix it:
git config --global color.branch.current 'yellow bold' git config --global color.branch.remote 'cyan bold' git config --global color.diff.new 'yellow bold' git config --global color.diff.old 'red bold' git config --global color.diff.meta 'cyan bold' git config --global color.diff.frag 'white bold' git config --global color.diff.commit 'white bold' git config --global color.status.added 'yellow bold' git config --global color.status.changed 'cyan bold' git config --global color.status.untracked 'red bold'
Hope this helps - I had to read the source code to find out where the color of the commit ID in git-log(1) is set. The above can at least serve as an example (after all, I don't expect you to have the same taste for colours), and for my future reference.

