Monday, 15 January 2018

Forcing power saving under my broken DPMS implementation

My monitor, or my X version, or my Xorg drivers, or my KMS kernel, or my xscreensaver version, or my goldfish has a broken DPMS implementation, so that my monitor doesn't turn of when idle. This is a particular waste of energy during the night. Luckily my monitor responds correctly to xset dpms force off when issued twice with a small delay. Using xprintidle-ng, I can work around the problem.

ACTIVATE=$(expr 60 \* 1000 \* 45)  # sleep after 45 mins.
while sleep 60; do
    if [ "$LASTIDLE" -lt "$ACTIVATE" -a "$IDLE" -ge "$ACTIVATE" ]; then
        xset dpms force off
        sleep 10
        xset dpms force off

Wednesday, 24 May 2017

PWD-based privilege separation

I am often tempted to try out a random github project with:

# mkdir random-repo
# cd random-repo
# git clone .
# ./configure && make
# emacs
# make
However that is naive from a security standpoint. Makefiles can do just about everything to your workstation, e.g. steal your e-banking credentials from .config/chrome. So, I want sandboxing. And I want it in a way that fuses nicely with the workflow above.

Basing sandbox activation on my shell current working directory seems to work quite nicely. Consider the following:

# id -nu
# echo $PWD
# pwdjail-mkdir random-repo
# cd random-repo
$ id -nu
$ echo $HOME
$ git clone .
$ ./configure && make
$ cd ..
# echo $PWD
# id -nu
# emacs random-repo/src/
  • I use pwdjail-mkdir instead of mkdir.
  • Entering a subdir beneath /home/clefru/devel/random-repo enters the sandbox
  • Leaving /home/clefru/devel/random-repo leaves the sandbox
In a nutshell, the sandbox concept gets fused with your working directory. I found this to fit nicely with my established working habits, that is chdir-ing into a project directory when doing work there. Let's look at how this works under the hood.

pwdjail-mkdir creates a sandbox user with its home directory set to the directory it has just created. My shell has a hook within chpwd, that when changing into a (sub-)directory of a sandbox user's home directory, the hook spawns a sub-shell via sudo for that sandbox user. The sub-shell also has a hook within chpwd that quits the sub-shell when the sandbox directory is left via another cd. Before quitting though, the sub-shell records the cd target directory and passes it to the outer shell. The outer shell, that is still hanging within its chpwd hook, grabs this target directory and chdirs into it. This completes the illusion that all of this is transparent.

To clean things up, I use pwdjail's version of rm -Ir named pwdjail-rm-Ir, which also removes the sandbox user. Sharing files between the sandbox user and the master user is done by setting a default ACL on the sandbox home directory. I still get mixed file owners if I happen to create files from within the sandbox and create files from the outside, but luckily with Posix ACLs I don't need an explicit step to fix permissions if the other users happens to access a file.

Grab the code from, run pwdjail-setup and you are good to go. I tested this only with zsh, so make sure you have that installed.

Wednesday, 2 March 2016

Tool to enable Wifi sending for Sony's Alpha cameras

Sony's A6000 has a nice feature to allow it to push images via Wifi. The camera however only does so, if it has been paired with Sony's PlayMemories Windows software. That's a one time thing, also the pairing isn't really a pairing that's strongly enforced anywhere. It's just settings truncated GUID, that the camera will broadcast after connecting to the Wifi Hotspot.

One could just grab a Windows device and do the pairing, however I was curios to see if I can cut out this requirement. And I could! I added sony-guid-setter.c to falk0069's sony-pm-alt repository which crafts non-standard USB packages so that the camera thinks it's pairing with PlayMemories. How this is done is documented in the of falk0069's repo.

Thursday, 14 August 2014

Native SSH relay

Google's Native SSH client for Chrome supports connecting to SSH via a websocket/HTTP protocol. I reverse engineered the protocol from the published source and wrote a NodeJS counterpart. This is useful if you don't want to expose your SSH port to the world, but want to hide it behind HTTP/Websockets, possibly using an additional authentication flow in front.

Thursday, 7 October 2010

Sandboxing Skype

I am in the unfortunate position to have read Silver Needle in the Skype up to PDF page 21, where a successful heap overflow attack makes skype drop to a shell. Since then I decided that I either have to stop using Skype or sandbox it. Since about a year I have been doing the latter, with some bumps in the road, as new versions of Skype needed more files and more sandboxing. However, it worked for me most of the time, and it is time to share the gory details with the world.

The sandbox script can be found at, where you can also edit the script.You need to have PulseAudio server running and listening to TCP traffic so that sound can break out of the sandbox. Verify that you have:

load-module module-native-protocol-tcp
in your PulseAudio config. Please review the variable settings to ensure that it fits your setup (DIR,XAUTHORITY,PULSECOOKIE). The sandbox is created for the user invoking the script. This user must have sudo capabilities to call the script. Please note that I have not reviewed the script with respect to security, so do not supply it to untrusted users.

Happy sandboxing. (Thanks to geheimdienst@#haskell-blah for pointing me to