![\"A](\"/img/blog/how-to-link-a-device-to-an-insular-ed-garmin-connect-on-android_1.png\")
Unlike most of Android users (but like some members the infosec community), I use Insular to isolate “untrustworthy” (your definition of “trust” may vary here) Android applications.
\n\nInsular is an alternative to Shelter and a fork of Island, which weaponizes the Android “Work profile” (that relies on Linux namespaces under the hood) to offer two independent Android execution contexts on the same device.
\n“Work profile” is ordinarily used by enterprises or organizations to dedicate a second SIM to a separate context or to even allow a MDM (Mobile Device Management) solution to be installed and granted root-like (Administrator) privileges to it, without accessing device owner’s “personal” data (e.g. messages, contacts, calendar and so on, present in the other context).
This is a very nice approach of “defense in depth” for Android systems, as it allows one not to trust Android permissions as the only security mechanism preventing an application from accessing your personal data (which had already been trivially bypassed in the past).
\n\nTechnically, Insular manages two contexts called “Mainland” and “Island”, respectively used as “personal” (trustworthy) and “work” (untrustworthy) contexts.
\n\nInsular is of course available on F-Droid.
\n\nA typical setup is to install F-Droid in Personal/Mainland context, clone it to Work/Island, and then use this clone to install a third-party applications store (e.g. Aurora Store) to install “untrusted” applications. The third-party store, as well as all the applications installed with it, will only be able to access data in the Work/Island context (which correspond to more or less nothing).
\n\n![\"A](\"/img/blog/how-to-link-a-device-to-an-insular-ed-garmin-connect-on-android_2.png\")
For day-to-day usability, Android supports transferring media from/to Work/Island context, modulo additional confirmation dialogs (and thus, requiring user approbation).
\n\nSo let’s say you want to link a Garmin device to your Android phone through the official Garmin Connect application. One would follow the instructions, grant Nearby devices Android permission and run the easy setup process, and that’s it.
But if Garmin Connect is run from the Work/Island context, it looks like a bug prevents the (custom ?) Bluetooth pairing flow to find and connect to your device. The setup process actually starts, and then… nothing. Manually opening Bluetooth settings and trying to find the device didn’t work.
\n\nIt looked like something was silently failing (pretty frustrating when you work in IT and lack of an explicit error) :
\n\n![\"A](\"/img/blog/how-to-link-a-device-to-an-insular-ed-garmin-connect-on-android_3.png\")
The only similar issue I’ve found so far is this one, where the user actually had a locale divergence between their Garmin account and Android settings from the application point of view. The Work profile is also known to prevent access (or fake) some system information, it’s not unlikely that something might be related here.
\n\nAnyway, Insular allows applications to be cloned from Personal/Mainland to Work/Island contexts (as we’ve seen with F-Droid for instance), but the other way is also possible !
\n\n![\"A](\"/img/blog/how-to-link-a-device-to-an-insular-ed-garmin-connect-on-android_4.png\")
So I’ve cloned Garmin Connect from Island to Mainland, opened it, logged in with my account, and then started the linking process as before. Bluetooth system dialogs popped-up, and everything went smoothly.
\n\n![\"A](\"/img/blog/how-to-link-a-device-to-an-insular-ed-garmin-connect-on-android_5.png\")
So now that the device is known to Android, and as Bluetooth devices are actually shared across contexts (because they are part of system), I only had to uninstall the cloned Garmin Connect from Mainland, and start using the original one installed in Island which now can discuss with the device !
\n\nIt wasn’t very clean, but leveraging Android permissions by solely and temporarily granting access to Nearby devices in Personal/Mainland context, it suffices to go through the Bluetooth pairing process, before uninstalling the proprietary piece of software, like nothing happened.
![\"A](\"/img/blog/how-to-switch-to-pico-tts-for-orca-on-debian-gnome_1.jpg\")
Microsoft wants us to throw away working computers for (opinionated) security benefits. Most of people only want to browse the Web, read their e-mails, but more importantly, leverage the last computer they bought while it’s still working : it’s good for the planet and their expenses. Software shouldn’t be the limitation here.
\nTheir risk assessment (which actually doesn’t exist, because they have only few assets) couldn’t care less about whether or not their motherboard or CPU offers a TPM 2.0. They only want a secure operating system to be protected from trivial malware, a secure Web browser to execute megabytes of third-party JavaScript, and a secure e-mail client to handle all the spams they receive.
So here is yet another good time for most of humans to part away from EEE USA-giants, and opt for open (and free) alternatives (as GNU/Linux).
\n\nAmong all humans, some are part of my family (no kidding !), for which I usually play the “IT technician” role :nerd_face:
\n\nMy grand-father is highly visually impaired, as I previously wrote about when documenting how he used Android, and has been really keen to try what screen reading feature Linux could offer, following Windows replacement.
\nWindows… an OS he couldn’t even use for the last decade due to successive UX breaking changes (XP, 7, 10) he couldn’t adapt to, coupled to poor accessibility tools.
Orca screen reader is integrated to GNOME desktop environment by default, and uses speech-dispatcher (speechd) as an interface between screen readers and TTS (text-to-speech) engines for audio transcription.
\n\nOn a default Debian 13 (Trixie) install, the screen reading feature software flow looks like this :
\nScreen text content --> Orca --> speechd --> eSpeak NG --> Audio output\nUnfortunately, it turns out default (and open-source) TTS engine eSpeak NG output voices were absolutely horrendous, and we couldn’t get a clue of what they actually said. So we decided to give a try to SVOX Pico TTS engine, which is (proprietary but) publicly appreciated by the French community.
\n\nAs we couldn’t find an up-to-date/working documentation, here it is !
\n\nFirst you need to add contrib and non-free components to your apt sources list, for instance :
deb http://deb.debian.org/debian trixie main contrib non-free\ndeb http://deb.debian.org/debian-security trixie-security main contrib non-free\ndeb http://deb.debian.org/debian trixie-updates main contrib non-freeThen you have to install Pico utilities as well as speech-dispatcher Pico module :
\n\napt-get update\napt-get install -y libttspico-utils speech-dispatcher-picoEventually, we edited /etc/speech-dispatcher/speechd.conf to enable Pico TTS by default :
# ...\nDefaultModule pico\n# ...\nAddModule \"pico\" \"sd_pico\" \"pico.conf\"\n# ...\n# Note : you can replace below \"fr\" by \"de\", \"en\", \"es\" or even \"it\" for Italian !\nLanguageDefaultModule \"fr\" \"pico\"Now you only have to restart GNOME to make Orca properly use new speech-dispatcher configuration (restarting speech-dispatcherd.service didn’t seem to be sufficient).
SVOX Pico only proposes a single (female) voice, which is clearer and more importantly… understandable.
\n\nAnd don’t forget : an up-to-date and secure Windows, is a Windows which you’ve eventually got rid of ! :wastebasket:
\n", "summary": "Improving Orca output voice on Debian GNOME wasn't quite straightforward", "tags": ["Tutorials"] },{ "title": "Welcome to dystopIA", "date_published": "2025-08-09T17:32:00+02:00", "date_modified": "2025-08-23T22:33:00+02:00", "id": "https://samuel.forestier.app/blog/articles/welcome-to-dystopia", "url": "https://samuel.forestier.app/blog/articles/welcome-to-dystopia", "image": "https://samuel.forestier.app/img/blog/welcome-to-dystopia_1.jpg", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/welcome-to-dystopia_1.jpg\")
Somewhere in France, two months ago : a ten year old boy plays with his mother’s (Android) smartphone and ends up on Gemini which reads something like this :
\n\n\n\n\n“Hello $NAME, here is what you can do near $LOCATION […]”
\n
\n- How do you know we are in $LOCATION ?
\n- [Gemini’s irrelevant and pointless redacted answer]
\n- NO !!! :angry: HOW. DO. YOU. KNOW. WE. ARE. IN. $LOCATION ???
Welcome to dystopIA. Youngsters simple (thus naive) approach of life against huge tech giants steamrollers…
\n\nAs a previous Intel CEO (Andy Grove) said in early 2000s :
\n\n\n\n\n“High tech runs three-times faster than normal businesses. And the government runs three-times slower than normal businesses. So we have a nine-times gap… And so what you want to do is you want to make sure that the government does not get in the way and slow things down.”
\n
… we cannot expect and wait for slowly-evolving legislation to enforce regulation for the sake of citizens (and eventually humanity).
\n\nMy only hope (for the top-down approach) is that even on the right-side of the economically-political spectrum, liberals begin to understand that this new “technological revolution” won’t just cause massive layoffs and hence unemployment, but also totally destroy the “labour value” so important to them.
\n\nHow to “emancipate through work” (if you happen to believe in it) if one is enslaved to a black box prompt copying/pasting someone else’s work that has been mixed up with others’ ?
\n\nHow to “benefit from the social elevator” if most of your studies consist into giving course slides and exercises to a machine only good at respectively summing them up and resolving them for you ?
\n\nHow to “innovate” (to save life on Earth, as techno-solutionists evangelize) if your only tool is a huge regressive equation, which is only good at dwelling on what has already been discovered ?
\n\nYou know the situation is completely f*cked up when the ones actually driving on the highway are simultaneously calling for speed regulation (for their public image) as well as fearful about their own behavior.
\n\nWe have piled up millions of lines of codes, terabytes of binaries, and now with this new paradigm we keep still : we need anti-crawling bots to keep our websites up, some even feed them trash to “slow” them by wasting computational resources, and we build concurrent models to “fix” inherent security issues… Cats and mice game continues, but planet loses.
\n\nAs network backbones had to scale up to deal with modern usages (e.g. a whole city streaming 4K of different VoDs at the same hour every day), our power grids and energetic mixes have to go down the same path. And don’t fool yourself : it’s our usages that design infrastructures, not the other way around. Companies and engineers won’t spend money (nor time) on unworthy projects. I keenly invite you to read on the “path dependence”, and here (french) applied to AI.
\n\nWe reached a point where a datacenter built in a neighborhood¹ almost consumes what the residents do. Imagine.
\n\nIn the end, the situation is so lunar that we’re encouraged to pee in the shower skip greetings…
I’d like to mention Luc Julia and more particularly his take on why AI doesn’t exist.
\nThe key note is : our brain consumes pretty much nothing compared to what neural networks require, and it usually does better.
So you will tell me human-beings cannot possibly work 24/7, need medical insurances and (what a shame !) happen to fight for their rights. Indeed, we aren’t machines.
\n\nBut let’s be honest, a “performant AI” is a “well-trained AI”. And training at the end of the day, comes from humans !
\nWhat actually happens is : we’re paying few cents per hours some people (for their low brain energy consumption) on the other side of the planet to “train” (very high energy intensive) machines on ours, so as not to pay a (salaried) human-beings decently. More on the “hidden (social) conditions” behind AI here (french).
Earth loses. Humanity loses. Tech parties “wins”.
\n\nIt has been some years we haven’t experienced the explosion of a speculative bubble… We had Internet around 2000, real estate that begins to collapse in China, cryptocurrencies that happen to more or less follow “real-economy” trends between two insider trading infringements, …
\nInvestors needed a new horse to bet their extra-money on, and AI appeared. Once they will understand that “garbage in” usually and eventually gives “garbage out”, be ready and brace for impact…
The same and rather old patterns apply : competition, predation, economic headlong rush (not to spoil the property owners) : our Occidental unindustrialized (and thus massively unemployed) societies have come to an end (and are slowly declining).
\nOwners and renters can still put some money on the table, wait for the donuts to grow (because others follow), and gather the differences (often positive for them).
Trivially, we could say that “owners” have interest in such a “technological revolution” to happen in order to maximize the expansion of what they already have. On the other hand, “workers” will be compelled to embrace yet another enslaving companion (for “productivity”).
\n\nWould you value one’s speeches if you knew each one of their sentences next word were computed using probability ? But you do if you use generative AI.
\nWould you seriously value a discussion with a delusional/mythomaniac friend of yours ? But you do if use generative AI.
\nWould you share some personal/confidential data with someone publicly known to use it for their own benefits (and that may make them available for the rest of the world afterwards) ? But you do if you use (a public) generative AI.
Do you know Crocker’s Rules ? If not, you really should.
\nWhat would be the point of feeding bullet points to an LLM² for it to generate a well-written e-mail, if on the other end, your recipient also uses an LLM to sum up your block of text down to… bullet points ?
\nSo you’d have expanded-then-compressed some data, which at best is useless, and at worst the essence of your key notes may have been lost during the process.
Here’s a situation : you have a problem to solve, and a quick query using your favorite Web search engine and relevant keywords gave no results : don’t lose time asking a generative AI, it will hallucinate and you will just lose time (and consume more energy for nothing).
\n\nA neural networks acts more or less as a linear regression. It will try to minimize what we mathematically call a cost function. So it’ll be a “performant” machine, for a given set of tasks. But it won’t be able to create new things.
\n\nIf it’s the end of innovation, it’ll be the end of Societies (at least as the forms in which we know them today).
\n\nNo more artists. Thus, all artists ? Creating Generating content relying on NFT opened to speculation, on a daily-basis ?
A choice needs to be made : do we want to keep a “social usefulness” ? Or at least, the possibility to have one ?
\n\nIs a machine only performing syntactically-correct answers sufficient ? Try to e-mail a well-written but factually wrong text to your boss and you’ll eventually see it isn’t…
\n\nIs “Chat” a GPT (Global Persistent Threat) to humanity ? Yes because, by paraphrasing and translating Emmanuel Dockès³ :
\n\n\n\n\n“If you happen to only free people that can stand thralldom, you only free the strong ones”.
\n
If you think users should be blamed for blindly following definitely wrong instructions, try to analyze who operate the service, and why.
\n\nWhat will you do when advertisements will directly be included in prompt responses ?
\nYou will pay for the service your work (life ?) depends on ? As you already paid for your music, VoD, game, Internet access and other entertainment-thus-optional services, while the persons feeding you daily kill themselves ?
Does a plumber uses free tools ? Does a plumber would even rent them ?
\nWe shouldn’t start relying on tools we do not master, trust, or that we cannot replace (I’m looking at you Office 365 :eyes:).
Giant tech companies offering “smart” assistants for free are currently performing a massive “technological dumping” that is never discussed.
\nAs it started before with “clouds” and e-mail providers, we are giving them away all of our personal data, and they will eventually be able to make you pay for their services.
I’d like to remind you of a previous popular take on e-mails : Google Has Most of My Email Because It Has All of Yours
\n\nUnless you’re called Robinson and live on an island, your (in)actions have an impact on society (particularly on your close circles). If you let predatory companies entering your life, they also enter lives of the ones you meet, spend time and discuss with, make love to, …\nIn the end, our ideas, our voices, our emotions, even our intentions go to them. And that’s scary.
\n\nDon’t forget that everything you type on a platform that belongs to a third party, 1) doesn’t belong to you (that were the terms of service you didn’t read when signing up) and 2) it’ll be a matter of time before it ends up being publicly available on Internet.
\n\nWe were arguing whether history is written by the victors, and maybe we’ll soon debate whether past facts existed at all (french).
\n\nI don’t want a world where the only particularity of human-beings would be their thumb opposability, that will serve machines (somewhat already close to warehouse worker conditions, for you to receive your packages on short time notices…).
\n\nI don’t want either a world looking like something between Idiocracy (2006) and Don’t look up (2021) (already crossed with Her (2013)), where average IQ went drastically down due to massive assistance or billionaires deciding how we should live (or die). If it doesn’t end up as in Terminator 3 (2003), once we’ll have had connected the first AI to military infrastructure to fight… itself.
\n\nWill we be able to live without a personal assistant ? Optarim verius, quam sperarim. In the meantime, this post has been written without any.
\n\n#StepAIside, #WalkAwAI, #OptForBrAIn
\n\n1 : La Courneuve, France
\n2 : Large Language Model
\n3 : “Si vous ne libérez que ceux qui ont la force de refuser la servitude, vous ne libérez que les forts”. p302, Emmanuel Dockès (2017), Voyage en misarchie. Éditions du Détour
![\"A](\"/img/blog/how-to-migrate-magnetico-sqlite-database-dump-to-postgresql_1.png\")
Magnetico is a the self-hosted BitTorrent DHT crawler, with built-in searching capabilities.
Usually, to avoid bootstrapping database and crawl Internet from zero on your own, you can download a community dump (like @anindyamaiti’s here), and let Magnetico start from here.
\n\nBut these dumps are usually proposed as SQLite databases (see this thread), because original Magnetico implementation didn’t support any other source.
\n\nSome years ago, there was indeed magnetico-go-migrator that had been developed for this very purpose, but it’s written in Go the project doesn’t seem to exist anymore… There is also magnetico_merge, but I wanted a stable and efficient solution (i.e. without hard-coded SQL schema and not written in Python either).
In this blog post, I’ll explain how I migrated such an SQLite database dump to PostgreSQL, which now Magnetico uses as its regular database, using PGLoader (because such a migration isn’t a straightforward process at all).
\n\nFirst we need to install some packages :
\n\napt install -y icu-devtools pgloader sqlite3I consider Magnetico service directory tree to look somehow like this :
\n\n.\n├── data\n│ ├── database.sqlite3\n│ ├── database.sqlite3-shm\n│ └── database.sqlite3-wal\n└── docker-compose.ymlDespite being pretty actively maintained, PGLoader still counts an incredible amount of opened issues. One that I’ve been struggling with is #1256, which causes PGLoader to fail to correctly “transpile” SQLite REFERENCES constraints :
ERROR PostgreSQL Database error 42601: syntax error at or near \")\"\nQUERY: ALTER TABLE \"files\" ADD FOREIGN KEY() REFERENCES \"torrents\"() ON UPDATE RESTRICT ON DELETE CASCADE… which, as you can see, comes from Magnetico schema :
\n\nsqlite3 -readonly data/database.sqlite3 \".schema files\"CREATE TABLE files (\n\t\t\tid INTEGER PRIMARY KEY,\n\t\t\ttorrent_id INTEGER REFERENCES torrents ON DELETE CASCADE ON UPDATE RESTRICT,\n\t\t\tsize INTEGER NOT NULL,\n\t\t\tpath TEXT NOT NULL\n\t\t, is_readme INTEGER CHECK (is_readme IS NULL OR is_readme=1) DEFAULT NULL, content TEXT CHECK ((content IS NULL AND is_readme IS NULL) OR (content IS NOT NULL AND is_readme=1)) DEFAULT NULL);\nCREATE UNIQUE INDEX readme_index ON files (torrent_id, is_readme);So if we wrap this up, a naive approach (or rather “an approach that I’ve tried for you” :upside_down_face:) would be to execute a PGLoader command derived from upstream documentation :
\n\nLOAD database\n from sqlite://data/database.sqlite3\n into postgres://magnetico@unix:run/postgresql:5432/magnetico\n\nWITH include drop, create tables, create indexes, reset sequences,\n quote identifiers,\n on error resume next,\n prefetch rows = 10000\n\nSET work_mem to '16 MB',\n maintenance_work_mem to '512 MB'\n\nAFTER LOAD DO\n $$ CREATE EXTENSION IF NOT EXISTS pg_trgm; $$,\n $$ ALTER TABLE files ADD FOREIGN KEY(torrent_id) REFERENCES torrents ON UPDATE RESTRICT ON DELETE CASCADE; $$;You should have noticed prefetch rows option (which defaults to 100000) that I had to lower as, if you don’t have a whole datacenter at your disposal either, it leads to heap memory exhaustion.
\n\n\nLater, I’ve also hit another PGLoader “transpilation” issue, this time related to SQLite
\nPRIMARY KEY… Long story short : this is an SQL nightmare.
But anyway, this PGLoader command fails pretty hard and quick, because of…
\n\nBitTorrent DHT actually contains lots of garbage, including invalid UTF-8 character sequences.\nPostgreSQL enforces strict character encoding checks, which prevents us from directly importing TEXT columns (torrents.name and files.path) from SQLite. Moreover, it stops current table processing when it encounters an error (including an encoding one), and PGLoader doesn’t continue with the remaining rows afterward.
So I decided to adapt @Crystalix007’s solution for cleaning the SQLite dump from invalid character sequences, without the major drawback of duplicating it on disk multiple times (which by the way additionally lead to database corruption in my case…).
\n\nSo the idea here is to walk away from PGLoader SQLite connector and let Magnetico create a clean database schema. Then we dump SQLite database tables as CSV streamed through uconv (in order to skip invalid UTF-8 character sequences, which spares us some useless gigabytes by the way :wink:) down to PostgreSQL database thanks to PGLoader :
![\"A](\"/img/blog/how-to-migrate-magnetico-sqlite-database-dump-to-postgresql_2.png\")
As CSV is a text format, special care must be taken when importing torrents.info_hash, which is an SQLite BLOB column (containing raw bytes). For this we leverage PostgreSQL’s bytea hex format and encode those bytes on-the-fly as hexadecimal.
Extend Magnetico Compose stack with a PostgreSQL service, as below :
\n\nversion: \"2\"\n\nservices:\n magnetico:\n image: ghcr.io/tgragnato/magnetico:latest\n restart: always\n ports:\n - \"127.0.0.1:8080:8080\"\n command:\n - \"--database=postgres://magnetico:password@postgres:5432/magnetico?sslmode=disable\"\n - \"--max-rps=500\"\n - \"--addr=0.0.0.0:8080\"\n depends_on:\n - postgres\n\n postgres:\n image: docker.io/postgres:18-alpine\n restart: always\n shm_size: 128mb\n environment:\n POSTGRES_USER: \"magnetico\"\n POSTGRES_PASSWORD: \"password\"\n POSTGRES_DB: \"magnetico\"\n volumes:\n - ./data/postgres:/var/lib/postgresql\n # required at first PostgreSQL start, to enable 'pg_trm' extension\n - ./load_trm.sql:/docker-entrypoint-initdb.d/load_trm.sql:ro\n # allow PGLoader to connect to PostgreSQL using UNIX domain socket, for maximum performance\n - ./run:/var/run… and then run the following commands :
\n\nmkdir -p data/postgres/ run/\necho \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\" > load_trm.sql\n\npodman-compose up -d && podman-compose logs -f magnetico\n# press CTRL+C when you see \"magnetico is ready to serve on [...]!\" log message !\n\n# stop Magnetico service (only)\npodman-compose stop magneticoYou’ll have to prepare a PGLoader command file (load_table.pgl), which imports CSV content read from stdin into PostgreSQL TARGET_TABLE :
LOAD CSV\n FROM stdin\n INTO postgres://magnetico@unix:run/postgresql:5432/magnetico\n TARGET TABLE '{{ TARGET_TABLE }}'\n\nWITH disable triggers,\n fields optionally enclosed by '\"',\n fields escaped by double-quote,\n fields terminated by ','\n\nSET work_mem to '32 MB',\n maintenance_work_mem to '512 MB'\n\nBEFORE LOAD DO\n $$ TRUNCATE TABLE \"{{ TARGET_TABLE }}\" CASCADE; $$,\n $$ UPDATE pg_index SET indisready=false WHERE indrelid = (SELECT oid FROM pg_class WHERE relname = '{{ TARGET_TABLE }}'); $$\n\nAFTER LOAD DO\n $$ UPDATE pg_index SET indisready=true WHERE indrelid = (SELECT oid FROM pg_class WHERE relname = '{{ TARGET_TABLE }}'); $$,\n $$ SELECT setval('seq_{{ TARGET_TABLE }}_id', (SELECT MAX(id) FROM \"{{ TARGET_TABLE }}\")); $$;It turns out PGLoader doesn’t specify CASCADE when truncating target table, so we must do it ourselves as import prelude.
For performance purpose, we disable all TARGET_TABLE indexes during import (following @fle’s trick) and trigger whole database re-indexation afterwards (see below).
\nThis is a(nother) workaround as PGLoader isn’t able to drop indexes (before reconstructing them at the end) when some SQL constraints depend on them.
You can then execute this Bash script (import_db.sh) :
#!/usr/bin/env bash\n\nset -euo pipefail\n\n# 1. Import 'torrents' table as CSV (with hex-encoded 'info_hash' column and without invalid UTF-8 characters)\nsqlite3 -readonly data/database.sqlite3 -csv \\\n \"SELECT id, '\\x'||hex(info_hash), name, total_size, discovered_on, updated_on, n_seeders, n_leechers, modified_on FROM torrents;\" \\\n | uconv --callback skip -t utf8 \\\n | TARGET_TABLE=\"torrents\" pgloader -v load_table.pgl\n\n# 2. Import 'files' table as CSV (without invalid UTF-8 characters)\nsqlite3 -readonly data/database.sqlite3 -csv \\\n \"SELECT * FROM files;\" \\\n | uconv --callback skip -t utf8 \\\n | TARGET_TABLE=\"files\" pgloader -v load_table.pgl\n\n# 3. Trigger database complete re-indexation\npodman-compose exec postgres \\\n psql -U magnetico -c 'REINDEX DATABASE magnetico;'Once database import is done, you may simplify your postgres Compose service definition and restart services :
postgres:\n image: docker.io/postgres:18-alpine\n restart: always\n shm_size: 128mb\n environment:\n POSTGRES_USER: \"magnetico\"\n POSTGRES_PASSWORD: \"password\"\n POSTGRES_DB: \"magnetico\"\n volumes:\n - ./data/postgres:/var/lib/postgresql\n- - ./load_trm.sql:/docker-entrypoint-initdb.d/load_trm.sql:ro\n- - ./run:/var/runpodman-compose up -dIf you’re satisfied with the imported dataset you can clean all of our mess (as well as old SQLite database dump) :
\n\nrm -rf \\\n data/database.sqlite3{,-shm,-wal} \\\n run/ \\\n load_table.pgl \\\n import_db.sh \\\n /tmp/pgloader\n\napt autoremove --purge icu-devtools pgloader sqlite3Migration took around ~12 hours on my setup (~30M torrents with ~950M files), but it took me more than a week to completely figure out the process and tidy it up :clown_face:
\n\n‘hope it helped and that one day most of Magnetico users will eventually drop SQLite, preferring PostgreSQL (custom archive) dumps.
\nDon’t forget to share with the world… tracker-free :earth_africa:
![\"A](\"/img/blog/mta-sts-for-protonmail-custom-domain-the-zero-maintenance-way.png\")
This blog post isn’t about explaining MTA-STS (there are already plenty of resources on the Internet to read about this), but more about its integration with custom domains when e-mail is handled by ProtonMail.
\n\n@Wonderfall wrote some years ago a very interesting blog post detailing how ProtonMail lack of MTA-STS support could be circumvented using two DNS entries and a statically served Web page.
\n\nHowever, one month and half ago, someone on Reddit has come up with an elegant solution, presented as “zero maintenance”, leveraging a CloudFlare worker (source, inspired by CloudFlare own documentation) :
\n\nexport default {\n async fetch(request, env, ctx) {\n return fetch('https://mta-sts.protonmail.ch/.well-known/mta-sts.txt');\n },\n};So we will properly detail how to implement this solution, but more importantly how we can self-host a CloudFlare worker alternative, so as not to depend on (another) third-party service provider.
\n\n\n\n\nBelow configuration and code snippets use fake
\nexample.orgdomain name.
mta-sts subdomainBefore anything else, we have to create a mta-sts.example.org subdomain. So you can create an A or AAAA record which targets a Web server you administrate. A record type is currently safer, just in case the MTA on the verge of connecting to ProtonMail servers lack of IPv6 support.
Once it’s done and DNS propagation took place, you have to setup TLS for this domain on the Web server, as you would do for any other site.
\n\nAs MTA-STS policies aren’t really known to change over time, we enable caching to prevent systematic connections to ProtonMail servers.
\n\nFor instance, your Apache VHOST configurations could look like (/etc/apache2/sites-available/mta-sts.example.org.conf) :
<VirtualHost *:443>\n\tServerName mta-sts.example.org\n\tServerAdmin webmaster@example.org\n\n\t# Allow proxy engine to connect to an HTTPS server\n\tSSLProxyEngine On\n\n\t# Setup caching to make it honor ACL and cache the response for 1 day\n\tCacheQuickHandler Off\n\tCacheSocache shmcb\n\tCacheSocacheMaxTime 86400\n\n\t# Ignore ProtonMail \"Cache-Control\" and \"Expires\" headers\n\tHeader unset Cache-Control\n\tHeader unset Expires\n\t# Ignore lack of \"Last Modified\" header in ProtonMail response\n\tCacheIgnoreNoLastMod On\n\n\t# Transparently serve Proton's MTA-STS policy\n\t<Location /.well-known/mta-sts.txt>\n\t\tCacheEnable socache\n\n\t\t# Result will be cached, always close TCP session afterwards\n\t\tProxyPass https://mta-sts.protonmail.ch/.well-known/mta-sts.txt disablereuse=on\n\t\tProxyPassReverse https://mta-sts.protonmail.ch/.well-known/mta-sts.txt\n\t</Location>\n\n\tErrorLog ${APACHE_LOG_DIR}/mta-sts.example.org_error.log\n\tCustomLog ${APACHE_LOG_DIR}/mta-sts.example.org_access.log combined\n\n\tSSLEngine On\n\tSSLCertificateFile /path/to/mta-sts.example.org/fullchain.pem\n\tSSLCertificateKeyFile /path/to/mta-sts.example.org/privkey.pem\n\n\tHeader always set Strict-Transport-Security: \"max-age=63072000\"\n</VirtualHost>\n\n<VirtualHost *:80>\n\tServerName mta-sts.example.org\n\tServerAdmin webmaster@example.org\n\n\tRewriteEngine On\n\tRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]\n</VirtualHost>You now only have to enable some Apache modules as well as above new site, and reload Apache configuration (Debian procedure) :
\n\na2enmod cache_socache proxy ssl\na2ensite mta-sts.example.org.conf\nsystemctl reload apache2.service\n\n# If you opt for disk-based caching (mod_cache_disk), don't forget to enable Apache2 cleaning systemd service\nsystemctl enable --now apache-htclean.serviceYou can now check MTA-STS policy is properly enforced for your domain by downloading it :
\n\ncurl https://mta-sts.example.org/.well-known/mta-sts.txt\n\nversion: STSv1\nmode: enforce\nmx: mail.protonmail.ch\nmx: mailsec.protonmail.ch\nmax_age: 604800_mta-sts subdomainNow your MTA-STS policy is available to the world, you have to allow its “discovery”, through an additional TXT DNS record.
So the idea here, instead of copying ProtonMail own TXT record value (dig +noall +answer TXT _mta-sts.protonmail.ch) and adding it ourselves as _mta-sts.example.org, is rather to simply create a CNAME for _mta-sts.example.org, pointing to _mta-sts.protonmail.ch.
This way, when MTA will try to probe SMTP server for MTA-STS support, they will hit ProtonMail own beacon :
\n\ndig +noall +answer TXT _mta-sts.example.org\n\n_mta-sts.example.org.\t1799\tIN\tCNAME\t_mta-sts.protonmail.ch.\n_mta-sts.protonmail.ch.\t1200\tIN\tTXT\t\t\"v=STSv1; id=190906205100Z;\"That’s it ! MTA-STS policy should be enforced for your domain :innocent:
\n\nWait ! Don’t close this tab yet ! Let’s take the opportunity to have access to our DNS administration console to also setup TLS-RPT.
\n\nTLS-RPT (“TLS Reporting”) allows you to receive reports about e-mail delivering issues, which are related to TLS connection. As we just have enforced a strict TLS policy, this is important to at least be notified in case of errors.
\n\nSo first, let’s query ProtonMail’s TLS-RPT configuration :
\n\ndig +noall +answer TXT _smtp._tls.protonmail.ch\n\n_smtp._tls.protonmail.ch. 1200\tIN\tTXT\t\"v=TLSRPTv1; rua=https://reports.proton.me/reports/smtptls\"So ProtonMail asks MTA to POST TLS-RPT reports to their own API endpoint.
However, as TLS-RPT allows us to specify more than one RUA (which stands for “Reporting URI for Aggregated reports”) :
\n\n\n\n\nThe record supports the ability to declare more than one rua, and if there exists more than one, the reporter MAY attempt to deliver to each of the supported rua destinations.
\n
So let’s leverage this specification detail to send report to ourselves, as well as ProtonMail (hoping they actually do something about them).
\n\nYou only have to create a new TXT record for _smtp._tls.example.org which contains the value v=TLSRPTv1; rua=mailto:security@example.org,https://reports.proton.me/reports/smtptls. Don’t forget to adapt the e-mail address which should receive those reports !
If you’re happy with your setup, you can then test it using (for instance, and I’ve absolutely nothing to do with them) EasyDMARC. A TLS-RPT checker is also available.
\n\nI hope this post has helped you ! As always, credits go to their respective owners and comments are appreciated :pray:
\n\n> Post header image was generated using ChatGPT (please, never again)
\n", "summary": "MTA-STS and TLS-RPT transparent setup for ProtonMail custom domain", "tags": ["Security"] },{ "title": "Projects ask for contributors but are reluctant to contributions", "date_published": "2024-07-06T19:33:00+02:00", "date_modified": "2024-07-06T19:33:00+02:00", "id": "https://samuel.forestier.app/blog/articles/projects-ask-for-contributors-but-are-reluctant-to-contributions", "url": "https://samuel.forestier.app/blog/articles/projects-ask-for-contributors-but-are-reluctant-to-contributions", "image": "https://samuel.forestier.app/img/blog/projects-ask-for-contributors-but-are-reluctant-to-contributions_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/projects-ask-for-contributors-but-are-reluctant-to-contributions_1.png\")
Over the past years, I contributed to various projects on GitHub. It turned out two recent contributions (1 & 2) turned into fiascos. Fiascos I’ll try to comment here, as they retrospectively appeared to me as “weak signals” of FOSS ecosystem deep symptoms related to contributions acceptance.
\n\n\n\n\nIn this post I’ll be referring a lot to “FOSS”, standing for Free and Open-Source Software.
\n
It’s true maintainers are accountable for the software they work on. Although, as an external contributor I am definitely responsible for the (broken ?) patch I push.
\n\nIf you fear accountability, despite the “zero guarantee” OSS license that should already protects you (strictly speaking from a legal point of view), feel free to reject patch soon (or you can always rework it yourself, if you prefer when “it’s written your way”).
\n\nDon’t put the burden of missing integration/non-regression tests on contributors ; They already invested a long time to :
\n\ncheckout your code and setup development environment ;
\nread your documentation (if any) ;
\nnail down the bug/implement a new feature ;
\nread your contributing guidelines (if any) ;
\nfollow your coding style ;
\ncleanup the patch before proposing it to the world ;
\ndeal with your forge technical specificities to actually submit changes.
\nOptionally, they could also figure out the issue required to be addressed in a third-party dependency, or even worst case : a fork you made of it (!).
\n\nFocusing on improving “tests” could be handled afterwards, as a totally separate concern (proposing a bug fix or new feature on a currently untested code base is fully independent from addressing the actual issue).
\n\nLet’s be clear : improving an untested piece of code is still improving a piece of code. End-users (including third developers) absolutely do not care about the status of your current code base coverage.
\n\nIf your entry point (main) isn’t tested (only integration tests can), please exclude it from code coverage results, allowing it to be modified (read “improved”) without bringing “bad statistics” to your CI.
This is not new : there is only a few people maintaining way too many software.
\nOne of the consequences of these bus factors (also called “circus factors”, like the recent decision of Neofetch creator and maintainer to simply quit after more than two years of vacancy) : it’s hard to expect from them fully-rational and situational reviews (i.e. reviews based on the actual diff instead of whether or not the CI pipeline is green, commits have been “signed-off” or overall code coverage has increased).
Code bases are huge and usually rather complex (we wouldn’t propose changes if they weren’t), thus they often require maintainer complete focus to be properly treated.
\n\nAs a maintainer, you’re committed to the project roadmap. But if you adhere to Open-Source Software philosophy that’s only one of the missions.
\n\nLet’s name a few others :
\n\nmake it work in most of (supported) environments, mostly when a contributor already did the job and implemented another platform or environment support ;
\nmake it as secure as possible because, despite the “zero guarantee” license, you don’t know what your software will be used for, and it may end up in a critical system (that’s why EU funds OSS bug bounty or USA now considers OSS security as critical) ;
\nprovide help and support for users (at least by pointing them to documentation or third resources so they can properly work on their side) ;
\nexplore any possibility of “empowerment” : if there is a need, or when developer opted for an opinionated default behavior, there should be an option for it.
\nHot take : if you don’t think so, but still are enthusiast about publishing some lines of code (because you like to share stuff to the world, or think code is a form of art), please push them to a read-only mirror or disable direct contributions on your forge (this will spare some developer precious time and make them opt for an alternative solution to address their issue).
\n\nIt’s not because there are plenty of idiots sending you harsh or dumb messages that a new contributor will be necessarily harsh or dumb. You don’t have to repeat four times the same thing : we usually also have a brain behind our screen.
\nIf you will eventually refuse proposed changes, don’t ask three times for a new version (believe it or not, it actually consumes time on the other end) and quickly (not after 6 months) reject them by explaining why.
Do not ask me to test third-API, mostly standard library ones. They are usually already tested upstream, and if not (shame on their maintainers !), they are de facto (due to the number of programs using them for several years and the fact they still exist in their current form).
\n\nInstead, you should add linting jobs to your CI, which will check for their proper uses (number of arguments, possibly their types, return type, …).
\n\nPlease do not ask me to “record videos” of my screen showing that submitted patch “work as expected”. This has absolutely no value, and it consumes time.
\n\nYou can’t possibly have any trust in my machine, the code I am (showing you) running, the configuration I dumped somewhere on disk nor the runtime environment it uses. It isn’t reproducible at all, and gives a false feeling of safety.
\n\nYou want to make sure proposed changes “work” and you don’t have any non-regression test ? Please kindly checkout my branch and run your own tests locally. You’re likely setup to do so, and if you think your setup is representative enough, you’re free to accept changes and merge them.
\n\nIn cryptography, we don’t trust a peer handing over a public key without a signature from its private part.
\nMore generally in science, we don’t consider something true until it has been demonstrated.
… including moral judgment and/or proselytism.
\n\nSerializing information (from brain to a text box) and deserializing (from an HTML page to brain) costs us time and energy. Please don’t use issue tracker or review comments to share your rants like :
\n\n\n\n\n[…] You need to [understand] test, “I think” is the worst [word] for testing.
\n
… which had been quickly edited afterwards to :
\n\n\n\n\n[…] You need to [understand] test, testing is for fixing your “I think”.
\n
Yes, thanks, I understand tests quite well. I implemented unit and integration tests from scratch for an existing code base, and always include proper jobs in new projects. All my contributions address documentation and tests, when it’s possible (read “when your project already got some”).
\n\n(While we’re at it : my “I think” wasn’t about testing itself, but precisely the fact that “testing videos” recorded on third-machines cannot act as tests themselves.)
\n\nContrary to way too many members of the FOSS community, I don’t consider the “xz backdoor attempt” as a failed one. Even if it didn’t reach Debian stable repositories (or any other Linux distribution “stable” release) nor each and every running OpenSSH servers on the planet, it actually end up running on systems connected to Internet, hence machines that we can consider “compromised”.
\nOne may always say that running production systems on “unstable” or “rolling-release” distributions is a terrible idea (and I would agree here), but this changes absolutely nothing : malicious code has been executed somewhere without CPU owner will, and that is definitely a “success” from perpetrator(s) point of view.
Moreover, if the supply-chain attack actually targeted an organization running even one public-facing SSH server using a “rolling-release” distribution, it could be considered compromised.
\nIf we take Debian for instance, it has been almost one month between the first merge of malicious content (it appeared “broken”, from perpetrator(s) point of view) and the revert to a previous (supposedly) “clean” version.
One, month. Think about it.
\n\n![\"A](\"/img/blog/projects-ask-for-contributors-but-are-reluctant-to-contributions_2.png\")
Indeed, we must be careful about what we merge. That’s why integration pipelines must be as relevant as possible and security tests should also be included. But automation won’t solve any problem (as always), and brain needs to be switched on to give a contextualized review.
\n\nMaintaining a software is accepting that we (maintainers) are not the only ones to use it, nor to decide what it should look like. It also means others’ needs have to be treated like our (their) ones. The direct consequence of this is a matter of time (it’s always about that, don’t you think ?).
\nBy publishing software on a public forge, you (implicitly) signed up for dedicating time to others. And it’s what constitutes the power of FOSS. Use it well.
> Post header image was generated using Adobe Firefly
\n\n", "summary": "Retrospective analysis of two rather recent contributions to Open-Source Software", "tags": ["Articles"] },{ "title": "How I finally got rid of Docker", "date_published": "2023-11-11T21:56:00+01:00", "date_modified": "2024-01-07T15:33:00+01:00", "id": "https://samuel.forestier.app/blog/security/how-i-finally-got-rid-of-docker", "url": "https://samuel.forestier.app/blog/security/how-i-finally-got-rid-of-docker", "image": "https://samuel.forestier.app/img/blog/how-i-finally-got-rid-of-docker_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/how-i-finally-got-rid-of-docker_1.png\")
Docker Compose has been a regular way of distributing/running container stacks to deploy services for many years now. What is actually interesting is the “Compose spec”, which mainly defines static representation(s) (it used to be multiple versions of it) of these stacks (i.e. how different services share resources [or not], and “work” together).
\n\nFor this second post of this “Podman series” (also see “Podman rootless in Podman rootless, the Debian way”), I will explain how I replaced Docker-Compose (and hence Docker itself) by Podman-Compose for some personal services.
\n\nHistorically, Composing with Docker was achieved by using Docker-Compose (v1), a binary which was actually a Python program built using PyInstaller, and invoked by docker-compose. On Debian, it is still packaged in main repositories.
Since 2021 (and mostly since last year), Composing is now achieved using Docker Compose (v2), a Go plugin for the docker (client) CLI.
\nOn Debian, once Docker repository has been added, setup is pretty straightforward : apt install docker-ce docker-compose-plugin.
\nInvocation is then done by docker compose (please note the space instead of the dash).
In either case, a docker-compose.yml file is usually downloaded according to vendor recommendations (or carefully handcrafted when missing :stuck_out_tongue:), and modulo a docker[-]compose up -d invocation, you’re all set and running.
Whereas Podman has been built as a “drop-in replacement” for Docker (despite internals being fundamentally different), Composing was initially out-of-scope (or very partially supported). But it’s 2023, and Podman-Compose is now a robust alternative.
\n\nWithin this containers ecosystem where (almost) everything is written in Go, please welcome Python again (and mind the coming back of the dash !).
\n\nPodman-Compose implements the Compose spec, while still being oriented “rootless” (after all, it’s what we expect from Podman, isn’t it ?) and “daemon-less”.
\n\nFirst we create a system user dedicated to Podman execution :
\n\nadduser --system namdop --group --home /opt/namdopUnlike Docker, there is no such thing as a (privileged) daemon running and waiting for us to give commands.
\nSo we must enable systemd-logind “lingering” for our system user to make systemd start (in user mode) on machine boot, and thus provide a proper runtime for OOTB Podman execution :
loginctl enable-linger namdopNow we can install Podman and deal with Debian (undesired) pulled dependencies :
\n\napt-get install -y --no-install-recommends \\\n podman \\\n slirp4netns \\\n uidmap \\\n golang-github-containernetworking-plugin-dnsname\n\nsystemctl --global disable --now \\\n dirmngr.socket \\\n gpg-agent.socket \\\n gpg-agent-browser.socket \\\n gpg-agent-extra.socket \\\n gpg-agent-ssh.socketWe then define our ranges of UIDs/GIDs dedicated to our system user :
\n\necho \"namdop:100000:65536\" > /etc/subuid\necho \"namdop:100000:65536\" > /etc/subgid\n\n\n:warning: Podman-Compose is packaged in Debian main repositories, but (already) pretty old so you’ll understand why we go through PyPI to retrieve an up-to-date version.
\n
As we like doing clean things and we actually don’t wanna break our system, we will install podman-compose in a Python virtual environment :
apt-get install -y python3-venvNow we can finalize the setup as our regular system user :
\n\nsu - namdop -s /bin/bash\n\npython3 -m venv venv && source venv/bin/activate\npip3 install -U pip wheel\n\npip3 install podman-compose\n\nmkdir my_service && cd my_service/\n\n# Here you can setup your docker-compose.yml and required configuration/data, as you would do with Docker !\n# ...\n\npodman-compose up -drestart policy pitfallSooo, as you may already know, containers do not start on boot by default. This behavior depends on the --restart={always,no,on-failure[:max-retries],unless-stopped} flag, that you can should specify when creating a container (or through the restart key in a Compose file).
Unlike for “standalone” Podman where we could run podman generate systemd <container> to make a container actually managed by systemd as a regular “service” (and thus enjoy the Restart policy feature), there is no such thing (yet ?).
As a workaround, we can rely on the (global) systemd service unit (called podman-restart.service), responsible for restarting containers on boot, that we must enable in our (user mode) systemd runtime :
XDG_RUNTIME_DIR=\"/run/user/$(id -u)\" systemctl --user enable --now podman-restart.serviceWhereas unless-stopped is supposed to be identical to always with Podman, packaging hits us hard and that’s unfortunate.
\npodman-restart.service unit specifies --filter=always to only (re)start containers that should be.
So you must add :
\n\nservices:\n service:\n # ...\n restart: always\n # ...… to your Compose stacks to enjoy containers auto-restart, or you will have to tweak the upstream systemd unit :clown_face:
\n\nThis issue has already been mentioned two years ago by @plevart, but it has not been fixed yet.
\n\napt-get autoremove --purge docker-ce docker-compose-plugin\n\nrm -f /etc/apt/keyrings/docker.gpg\nrm -f /etc/apt/sources.list.d/docker.list\napt-get update![\"A](\"/img/blog/how-i-finally-got-rid-of-docker_2.png\")
![\"A](\"/img/blog/certbot-unprivileged-debian-setup-walkthrough_1.png\")
Some weeks ago, while I was upgrading my server operating system, I had to reboot the machine to load the new kernel. Unfortunately, the machine actually wasn’t feeling well and decided not to reboot. After contacting the data center support, it appeared the chassis had a critical hardware failure which prevented it from booting again.
\n\nThis event taught me several things :
\n\nreboot is not an innocuous operation (in my very case : IPMI fails very quickly after power on, and serial console was not reading anything interesting) ;
\nhardware issues may have nothing to do with current runtime (no kernel warning popped out recently) ;
\nbackups are primordial (you can’t imagine how the last backup I’ve run some days before the upgrade reassured me during this period) ;
\nSLA means something, including for IaaS (in my very case : probably due to a blade containing multiple servers, data center operators couldn’t access the chassis to get the disk out without impacting other clients. So they did not, according to the SLA).
\nOn our “new” machine, I had to go through re-setup Web server(s) and, among other things, TLS certificates.
\n\nDo I really need to introduce you to EFF’s Certbot, which you are very likely already using to obtained HTTPS certificates from Let’s Encrypt ? I guess not, ‘cause you wouldn’t be reading this blog post if you know nothing about it.
\n\n\n\n\nSo what is the link between your server crash and Certbot ?
\n
Well, this time I decided not to grant administrator privileges to this piece of software, and we’ll see how we can achieve that.
\n\nOfficial setup procedure recommends to go through Canonical’s snapd software to deploy Certbot, but I tend to reject these approaches, mostly when it’s about running interpreted code (and not compiled C/C++ programs, which can require several libraries loaded at runtime, which can “justify” [please note the quotes] shipping tons of BLOBs to ease deployment among heterogeneous systems).
\n\n![\"A](\"/img/blog/certbot-unprivileged-debian-setup-walkthrough_2.png\")
As Certbot is still distributed through PyPI, we’ll go this way.
\n\napt install -y python3-venv\nadduser --system certbot --home /opt/certbot\nsu - certbot -s /bin/bash\n\n# As certbot user :\npython3 -m venv venv && source venv/bin/activate\npip3 install -U pip wheel\npip3 install certbotSo there is two ways to ask for an HTTPS certificate : either Certbot spawns an HTTP Web server and directly responds to CA’s http-01 challenge, or it could write to an already “served” HTTP Web root.
\n\nThe idea here is to make Certbot bind a local port > 1024, redirect new HTTP traffic to this port and let it directly respond to the http-01 challenge (as it were the actual Web server behind your domain name/IP address).
\n\nFor a certificate that has been asked for the first time this way (as certbot user) :
venv/bin/certbot \\\n --work-dir=/opt/certbot \\\n --logs-dir=/opt/certbot/logs \\\n --config-dir=/opt/certbot/config \\\n certonly \\\n --standalone \\\n --http-01-address 127.0.0.1 \\\n --http-01-port 8080 \\\n -d \"your.domain.name\"… I propose you below Bash renewal script (mainly the detailed steps to adapt with your setup) :
\n\n#!/usr/bin/env bash\n\nset -euo pipefail\n\nDOMAIN=\"your.domain.name\"\nWAN_IP_ADDRESS=\"your.wan.ip.address\"\nWAN_NETWORK_INTERFACE=\"eth0\"\nHTTP_01_LOCAL_ADDR=\"127.0.0.1\"\nHTTP_01_LOCAL_PORT=8080\n\n# 1. Some firewall rules to DNAT and ACCEPT (new) HTTP traffic to local http-01 port\ndnat_rule_handle=\"$(nft -ej insert rule ip nat prerouting ip daddr \"$WAN_IP_ADDRESS\" tcp dport http ct state new dnat to \"${HTTP_01_LOCAL_ADDR}:${HTTP_01_LOCAL_PORT}\" | grep -vE '^#' | jq -r .nftables[0].insert.rule.handle)\"\nfilter_rule_handle=\"$(nft -ej insert rule inet filter input ip daddr \"$HTTP_01_LOCAL_ADDR\" tcp dport \"$HTTP_01_LOCAL_PORT\" ct state new accept | grep -vE '^#' | jq -r .nftables[0].insert.rule.handle)\"\n\n# 2. Allow DNAT to loopback\nsysctl -q -w \"net.ipv4.conf.${WAN_NETWORK_INTERFACE}.route_localnet=1\"\n\n# Renew the certificate using Certbot (`|| true` is required to allow it to fail, \"for reasons\")\nsu - certbot -s /bin/bash -c \\\n \"/opt/certbot/venv/bin/certbot --work-dir=/opt/certbot --logs-dir=/opt/certbot/logs --config-dir=/opt/certbot/config renew -q\" \\\n || true\n\n# 3. Disallow DNAT to loopback\nsysctl -q -w \"net.ipv4.conf.${WAN_NETWORK_INTERFACE}.route_localnet=0\"\n\n# 4. (situational) Install cryptographic materials where they need to be\ncp \"/opt/certbot/config/live/${DOMAIN}/fullchain.pem\" /path/to/fullchain.pem\ncp \"/opt/certbot/config/live/${DOMAIN}/privkey.pem\" /path/to/privkey.pem\n\n# 5. (situational) Restart the service(s) to load the new certificate(s)\nsystemctl restart apache2.service\n\n# 6. Delete our temporary firewall rules\nnft delete rule inet filter input handle \"$filter_rule_handle\" || true\nnft delete rule ip nat prerouting handle \"$dnat_rule_handle\" || trueFor this script to work, I assume :
\n\njq is available on the system (used to parse nft JSON output) ;
The firewall is managed through nftables ;
\n(nftables) tables ip nat and inet filter exist ;
(nftables) chains prerouting (ip nat) and input (inet filter) exist.
Note : http-01 server configuration is stored by Certbot so we don’t have to specify --http-01-* arguments during renewal.
This is the method I’d prefer, as we don’t have to play with firewall.
\n\nFirst, you will have to tweak your Web server configuration (i.e. the default VHOST) to :
\n\nDisable HTTPS redirection for .well-known URIs (if any) ;
Allows access to .well-known/acme-challenge Web root (if restricted).
Below, for instance, Apache httpd configuration :
\n\n<VirtualHost *:80>\n\tServerName your.domain.name\n\n\t# Certbot\n\tDocumentRoot /var/www\n\t<Directory /var/www/.well-known/acme-challenge>\n\t\tRequire all granted\n\t</Directory>\n\n\tRewriteEngine on\n\tRewriteCond %{REQUEST_URI} !^/\\.well-known\n\tRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]\n</VirtualHost>Now, you can run the following commands :
\n\n# Prepare the Web root\nmkdir -p /var/www/.well-known/acme-challenge\nchown www-data:www-data /var/www/.well-known\nchown certbot:www-data /var/www/.well-known/acme-challenge\n\n# Reload Apache httpd configuration\na2enmod rewrite\nsystemctl restart apache2.service\n\n# Ask for a certificate\nsu - certbot -s /bin/bash -c \\\n \"/opt/certbot/venv/bin/certbot --work-dir=/opt/certbot --logs-dir=/opt/certbot/logs --config-dir=/opt/certbot/config certonly --webroot-path=/var/www -d 'your.domain.name'A typical renewal procedure would then be :
\n\nsu - certbot -s /bin/bash -c \\\n \"/opt/certbot/venv/bin/certbot --work-dir=/opt/certbot --logs-dir=/opt/certbot/logs --config-dir=/opt/certbot/config renew --deploy-hook 'touch certs_renewed' -q\"\n\nif [ -f /opt/certbot/certs_renewed ]; then\n\tsystemctl restart apache2.service\n\trm -f /opt/certbot/certs_renewed\nfiNote : Web root path configuration is stored by Certbot so we don’t have to specify --webroot-path argument during renewal.
The trick with --deploy-hook is required as Certbot exits with status code 0 on “success” (i.e. either when zero, one or multiple certificates got renewed). @iquito’s workaround is thus required here if we want to prevent unconditional Web server restart.
Do backup. Try your restoration procedure. Encrypt the world. Get rid of unnecessary privileges. KISS.
\n", "summary": "Let's deploy and run these Python lines of code without any privilege !", "tags": ["Security"] },{ "title": "Blog domain name update", "date_published": "2023-10-24T14:25:00+02:00", "date_modified": "2023-10-24T14:25:00+02:00", "id": "https://samuel.forestier.app/blog/articles/blog-domain-name-update", "url": "https://samuel.forestier.app/blog/articles/blog-domain-name-update", "image": "https://samuel.forestier.app/img/blog/blog-domain-name-update_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "A very short blog post to announce that blog “has moved” to samuel.forestier.app (no, I haven’t been hacked [yet]) ! :stuck_out_tongue:
So please do update your bookmark and/or RSS feed addresses (I’ve seen in logs that some RSS readers are still querying the previous address, and that they don’t seem to remember the 301 Permanent Redirect that I’ve set up).
HTTP redirections from old domain will stay configured for about 2 weeks from now.
\n\nBye :wave:
\n", "summary": "Please update your bookmark and/or RSS feed !", "tags": ["Articles"] },{ "title": "Podman rootless in Podman rootless, the Debian way", "date_published": "2023-09-17T10:31:00+02:00", "date_modified": "2024-10-22T22:39:00+02:00", "id": "https://samuel.forestier.app/blog/security/podman-rootless-in-podman-rootless-the-debian-way", "url": "https://samuel.forestier.app/blog/security/podman-rootless-in-podman-rootless-the-debian-way", "image": "https://samuel.forestier.app/img/blog/podman-rootless-in-podman-rootless-the-debian-way_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/podman-rootless-in-podman-rootless-the-debian-way_1.png\")
Podman is the new de facto state-of-the-art to run containers on Linux. It comes by design with a very interesting feature : rootless container. In this mode, the container runtime itself runs without privileges. This means exploiting the container runtime could at most grant the attacker the permissions of the running user (kernel own attack surface is out-of-scope here).
\n\nHistorically, sysadmins and CI/CD developers found themselves in situations where they have to run container in container (see Docker-in-Docker, a.k.a. DinD), or other things also dealing with cgroups/seccomp/namespacing running in a container (e.g. systemd in unprivileged LXC). We call this “nesting”, and this may introduce some security benefits (as always depending on your threat model).
\n\nNesting Podman in “containers” is supported and actually documented, and the combinational leads to these situations :
\n\nRootful in rootful (pretty bad from a security point of view)
\nRootless in rootful (already better !)
\nRootful in rootless (pretty handy, but consider your container compromised if the application runs as root and has flaws)
\nRootless in rootless (ideal from a security point of view !)
\nThere is a hiccup between (at least) 4 and Debian image, and that’s why we’ll talk about here.
\n\n\nIn below commands, you’ll see I map
\n/dev/fusedevice in containers to provide OverlayFS support in unprivileged user namespaces for Linux < 5.11.
Podman is very well integrated in the Red Hat ecosystem (mainly with systemd), and the official Podman container image is built upon Fedora.
\n\nOn a rather “recent” GNU/Linux distribution, you can safely run as a regular user :
\n\npodman run -q -it --rm \\\n --user podman \\\n --device /dev/fuse \\\n quay.io/podman/stable:latest \\\n podman run -q -it --rm \\\n docker.io/library/alpine:latest \\\n sh\n/ # id\nuid=0(root) gid=0(root) groups=1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video),0(root)This command pulls the official Podman container image and runs, as a regular user too (named podman in the first container), another Podman runtime which pulls the official Alpine image and spawns a shell in it.
If we focus on user namespaces, it gives :
\n\nthe first podman runs as uid=1000 (host machine user session)
the second podman (in the first container) runs as uid=1000 (but shifted by 100000, default value defined in /etc/subuid on Debian)
eventually, sh runs as uid=0 (shifted by 101001, where 100000 comes from parent user namespace and 1001 from /etc/subuid packaged in quay.io/podman/stable image)
Podman is packaged in Debian since Bullseye (11). A simple apt install podman (which pulls a lot of recommended dependencies, I’d confess) and you’re all set.
Since Debian 12 (this year !), the specific-but-deprecated kernel.unprivileged_userns_clone sysctl parameter is even enabled by default so you don’t have to tweak your system anymore.
Unfortunately, if we attempt to build a Debian-based image to run “rootless in rootless” with such a Containerfile :
FROM debian:bookworm\n\nRUN apt-get update && \\\n apt-get upgrade -y && \\\n apt-get install -y --no-install-recommends podman fuse-overlayfs slirp4netns uidmap\n\nRUN useradd podman -s /bin/bash && \\\n echo \"podman:1001:64535\" > /etc/subuid && \\\n echo \"podman:1001:64535\" > /etc/subgid\n\nARG _REPO_URL=\"https://raw.githubusercontent.com/containers/image_build/refs/heads/main/podman\"\nADD $_REPO_URL/containers.conf /etc/containers/containers.conf\nADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf\n\nRUN mkdir -p /home/podman/.local/share/containers && \\\n chown podman:podman -R /home/podman && \\\n chmod 0644 /etc/containers/containers.conf\n\nVOLUME /home/podman/.local/share/containers\n\nENV _CONTAINERS_USERNS_CONFIGURED=\"\"\n\nUSER podman\nWORKDIR /home/podman… it hard fails with :
\n\npodman image build -q -t debian:podman -f Containerfile . && \\\n podman run -q -it --rm \\\n --device /dev/fuse \\\n debian:podman \\\n podman unshare bash\n98ea1c8c9e32cff5c3dabc4925f55a87cfad77e32d5778785a4f025215124fab\nERRO[0000] running `/usr/bin/newuidmap 12 0 1000 1 1 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted \nError: cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1@jam49 initially experienced this error while trying to run Podman rootless in Jenkins official Docker image, which is Debian-based.
\nGranting CAP_SYS_ADMIN to parent user namespace (hence the first container) actually “fixes” this issue, but this is highly discouraged due to the bloated range of system operations that it permits, which can easily leads to root privileges. Also, unless explicitly dropped, it will be inherited in child user namespaces as well (including the one running your application or service !).
So, why does this work flawlessly on Fedora, and not against Debian ? Let’s dive in user namespaces and capabilities magic world :smirk:
\n\nnewuidmap, to user namespaces and capabilitiesnewuidmap (respectively newgidmap) is a privileged program maintained in shadow-utils project (see upstream tree, or shadow on Debian) which allows unprivileged users to safely map their UID (GID) to parent user namespace, based on ids range defined in /etc/subuid (/etc/subgid) file.
Since Linux >= 3.9, modifying namespace id mapping requires CAP_SYS_ADMIN. As this capability is usually not granted in container contexts, shadow-utils maintainers switched to file capabilities (in a backward-compatible way for setuid setups (see !132, fixed-up by !138).
Going through file capabilities is a good way to obtain them even if they are missing from your “Effective set” (they still need to be in your “Permitted set” though, see this awesome diagram, or even next section for a visual experience).
\n\nDebian (still) installs uidmap binaries with setuid bit, whereas the packaged version fully-supports file capabilities (>= 4.7), since Bullseye (11).
\nTheoretically, this shouldn’t be an issue as gaining root privileges through setuid bit implies the full set of capabilities by default.
\nSo, would uidmap be compiled without capability support, and thus failing to retain CAP_SETUID (CAP_SETGID) ? :thinking:
We can see in Debian shadow sources that :
But what do build logs tell ?
\n\n![this awesome diagram](\"https://blog.ploetzli.ch/wp-content/uploads/2014/12/capabilities.png\"){kind=link}
apt install -y --no-install-recommends devscripts wget\n\n# Download last `shadow` (packaging `uidmap` binaries) build logs\ngetbuildlog shadow \"last\" amd64\n\ngrep 'sys/capability.h' shadow_*_amd64.log \nchecking for sys/capability.h... noThat’s it ! Due to Debian shadow compilation environment and packaging, uidmap binaries lack of both capabilities upstream patches.
As stated here, dropping setuid bit and granting CAP_SETUID (CAP_SETGID) as file capability in our previous Debian-based image using setcap (libcap2-bin package on Debian) :
FROM debian:bookworm\n \n RUN apt-get update && \\\n apt-get upgrade -y && \\\n apt-get install -y --no-install-recommends podman fuse-overlayfs slirp4netns uidmap\n \n RUN useradd podman -s /bin/bash && \\\n echo \"podman:1001:64535\" > /etc/subuid && \\\n echo \"podman:1001:64535\" > /etc/subgid\n \n ARG _REPO_URL=\"https://raw.githubusercontent.com/containers/image_build/refs/heads/main/podman\"\n ADD $_REPO_URL/containers.conf /etc/containers/containers.conf\n ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf\n \n RUN mkdir -p /home/podman/.local/share/containers && \\\n chown podman:podman -R /home/podman && \\\n chmod 0644 /etc/containers/containers.conf\n \n VOLUME /home/podman/.local/share/containers\n \n+ # Replace setuid bits by proper file capabilities for uidmap binaries.\n+ # See <https://github.com/containers/podman/discussions/19931>.\n+ RUN apt-get install -y libcap2-bin && \\\n+ chmod 0755 /usr/bin/newuidmap /usr/bin/newgidmap && \\\n+ setcap cap_setuid=ep /usr/bin/newuidmap && \\\n+ setcap cap_setgid=ep /usr/bin/newgidmap && \\\n+ apt-get autoremove --purge -y libcap2-bin\n+ \n ENV _CONTAINERS_USERNS_CONFIGURED=\"\"\n \n USER podman\n WORKDIR /home/podman… elegantly workarounds this issue :
\n\npodman image build -q -t debian:podman -f Containerfile . && \\\n podman run -q -it --rm \\\n --device /dev/fuse \\\n debian:podman \\\n podman unshare bash\n6b0661ddedbf13459493720f992c171d912d33bfd79a48a0d162d3eb0335cc99\nroot@bbb7d3d08f5a:~# id\nuid=0(root) gid=0(root) groups=0(root)CAP_SETUID (CAP_SETGID) is explicitly forbidden in my context ?Well, as you can imagine, it breaks again :
\n\npodman image build -q -t debian:podman -f Containerfile . && \\\n podman run -q -it --rm \\\n --device /dev/fuse \\\n --cap-drop setuid,setgid \\\n debian:podman \\\n podman unshare bash\n6b0661ddedbf13459493720f992c171d912d33bfd79a48a0d162d3eb0335cc99\nERRO[0000] running `/usr/bin/newuidmap 9 0 1000 1 1 1001 64535`: \nError: cannot set up namespace using \"/usr/bin/newuidmap\": fork/exec /usr/bin/newuidmap: operation not permittedAlthough, you’ll notice the error is slightly different : kernel prevents binary execution, instead of subsequent /proc/self/uid_map write operation as observed before.
If your “last level of nesting” is not supposed to re-gain privileges, you can safely set the “No New Privileges” flag through a Podman security option :
\n\npodman run -q -it --rm \\\n --user podman \\\n --device /dev/fuse \\\n --security-opt=no-new-privileges \\\n quay.io/podman/stable \\\n podman run -q -it --rm \\\n alpine:latest \\\n sh\nERRO[0000] running `/usr/bin/newuidmap 9 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted \nError: cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1Here we can note that the flag actually breaks our first post example, as expected (gaining privileges from newuidmap program is denied by kernel).
The status of this flag can be retrieved using capsh :
podman run -q -it --rm \\\n --user podman \\\n --device /dev/fuse \\\n --security-opt=no-new-privileges \\\n quay.io/podman/stable \\\n bash\n[podman@5936edfb845d /]$ /sbin/capsh --print | grep no-new-privs\nSecurebits: 00/0x0/1'b0 (no-new-privs=1)… or even directly through /proc :
grep NoNewPrivs /proc/self/status\nNoNewPrivs:\t1This has been a “funny” bug to investigate !
\n\nI’ve run a quick search on the Web and it doesn’t look like Debian plans to switch to file capabilities for uidmap binaries (yet), so it’s very likely that the shim above will be around for some time.
\n", "summary": "How a tiny packaging difference breaks a whole feature", "tags": ["Security"] },{ "title": "How to rewrite Git history while keeping message commit references", "date_published": "2022-03-26T12:41:00+01:00", "date_modified": "2022-03-29T19:17:00+02:00", "id": "https://samuel.forestier.app/blog/tutorials/how-to-rewrite-git-history-while-keeping-message-commit-references", "url": "https://samuel.forestier.app/blog/tutorials/how-to-rewrite-git-history-while-keeping-message-commit-references", "image": "https://samuel.forestier.app/img/blog/how-to-rewrite-git-history-while-keeping-message-commit-references_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/how-to-rewrite-git-history-while-keeping-message-commit-references_1.png\")
Sometimes, you would like to clean your Git history (let’s say, to remove a redacted production secret still present in history, or maybe change an old committer identity).
\n\n\n\n\n:warning: As such operations are very dangerous, please read this post fully before running anything, and note that I hereby decline any responsibility (as always) if something bad happens to your project.
\n
If you reach this page, you already know the problem : rewriting Git history causes all identifiers (SHA) following the first affected commit to change, and you cannot do a thing about it.
\n\nIf one of the developers used to specify commit references in their own commit messages (like This commit follows 40d5014 [...]), they won’t mean anything once rewriting is done.
\nMoreover, if some of your commits “revert” others, they are also affected (Git does not update them automatically).
So we have somehow to dynamically “update” commit references, while rewriting the history, according to new commit identifiers.
\n\nBelow is a script implementing this, derived from one of the official GIT-FILTER-BRANCH(1) manual page examples, updating root <root@localhost> identity with John Doe <john@example.net> :
git filter-branch \\\n\t--env-filter '\n\t\tif test \"$GIT_AUTHOR_NAME\" = \"root\"\n\t\tthen\n\t\t\tGIT_AUTHOR_NAME=\"John Doe\"\n\t\tfi\n\t\tif test \"$GIT_AUTHOR_EMAIL\" = \"root@localhost\"\n\t\tthen\n\t\t\tGIT_AUTHOR_EMAIL=john@example.com\n\t\tfi\n\t\tif test \"$GIT_COMMITTER_NAME\" = \"root\"\n\t\tthen\n\t\t\tGIT_COMMITTER_NAME=\"John Doe\"\n\t\tfi\n\t\tif test \"$GIT_COMMITTER_EMAIL\" = \"root@localhost\"\n\t\tthen\n\t\t\tGIT_COMMITTER_EMAIL=john@example.com\n\t\tfi\n\t' \\\n\t--commit-filter '\n\t\tprintf \"%s\" \"${GIT_COMMIT},\" >> ../commits_mapping\n\t\tgit commit-tree \"$@\" | tee -a ../commits_mapping\n\t' \\\n\t--tag-name-filter cat \\\n\t--msg-filter '\n\t\tmessage=\"$(cat)\"\n\t\tcommit_refs=\"$(echo \"$message\" | LC_ALL=C grep -oE \"\\b[0-9a-fA-F]{7,40}\\b\")\"\n\t\tfor commit_ref in $commit_refs; do\n\t\t\tnew_sha=\"$(grep \"^${commit_ref}\" ../commits_mapping | cut -d, -f2)\"\n\t\t\tif test -z \"$new_sha\"\n\t\t\tthen\n\t\t\t\tcontinue;\n\t\t\tfi\n\t\t\tcommit_ref_len=\"$(printf \"%s\" \"$commit_ref\" | wc -m)\"\n\t\t\tnew_commit_ref=\"$(echo \"$new_sha\" | cut -c \"1-${commit_ref_len}\")\"\n\t\t\tmessage=\"$(echo \"$message\" | sed \"s/${commit_ref}/${new_commit_ref}/g\")\"\n\t\tdone\n\n\t\techo \"$message\"\n\t' \\\n\t-- --allYou may have noticed that filtering scripts are fully-POSIX compatible, so they are supposed to work in most environments (maybe even yours :wink:).
\n\nYou will find other features too :
\n\nCommitter identities are additionally getting updated ;
\nAll branches are getting rewritten (this may not be something that you want !) ;
\nTags are getting updated too (they will point to the same effective version of the code).
\n\n\n\nTL; DR : beware of word collisions across commit messages.
\n
There is a caveat that we have to share though, because of the use of regular expressions in the msg-filter script :
![\"A](\"/img/blog/how-to-rewrite-git-history-while-keeping-message-commit-references_2.png\")
You might encounter collisions between commit references and real-life words, existing in your language.
\n\nFor a project with commit messages written in English, you can safely run the above Git migration, because there is none :
\n\nLC_ALL=C grep -oE \"\\b[0-9a-fA-F]{7,40}\\b\" /usr/share/hunspell/en_US.dicIf you happened to use shorter SHA (let’s say, 6-character long references), there are collisions in English :
\n\nLC_ALL=C grep -oE \"\\b[0-9a-fA-F]{6,40}\\b\" /usr/share/hunspell/en_US.dic\naccede\nbedded\ncabbed\ndabbed\ndecade\nefface\nfacadeFor an Italian project, there are collisions, even with 7-character long references (:fearful:) :
\n\nLC_ALL=C grep -oE \"\\b[0-9a-fA-F]{7,40}\\b\" /usr/share/hunspell/it_IT.dic\naccadde\ndecaddePlease also note that git filter-branch usage is deprecated since Git v2.24.0, and filter-repo should be preferred.
\nIf you managed to adapt the solution described in this post with this tool, feel free to post a comment below !
It actually appeared that filter-repo supports this feature by default ! :tada:
\nSo it definitely should be preferred over git filter-branch, but sometimes, only legacy tools are available…
\n\n", "summary": "Mankind has a duty of memory", "tags": ["Tutorials"] },{ "title": "How to disable Bluetooth on Cinnamon startup", "date_published": "2022-01-31T11:35:00+01:00", "date_modified": "2022-01-31T11:35:00+01:00", "id": "https://samuel.forestier.app/blog/tutorials/how-to-disable-bluetooth-on-cinnamon-startup", "url": "https://samuel.forestier.app/blog/tutorials/how-to-disable-bluetooth-on-cinnamon-startup", "image": "https://samuel.forestier.app/img/blog/how-to-disable-bluetooth-on-cinnamon-startup_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "Many thanks to the co-author of this script, who will recognize himself :pray:
\n
![\"A](\"/img/blog/how-to-disable-bluetooth-on-cinnamon-startup_1.png\")
For years now, I’ve been using Cinnamon as desktop environment on my (graphical) Debian-powered systems.
\nWhereas this might painfully and sadly change in the future, I still had have to manually turn off Bluetooth on startup, as somehow, this state does not persist across reboots, and this feature does not seem implemented by the Blueman applet.
It appears since BlueZ 5.35 (2015 !) that enabling or disabling daemon automatic startup is possible.
\n\nThe thing is, even if you manually revert the Debian-packaged configuration enabling AutoStart, the Blueman applet will ensure Bluetooth is correctly turned on when bootstrapping, resulting in :
![\"A](\"/img/blog/how-to-disable-bluetooth-on-cinnamon-startup_2.png\")
… and that makes sens, because we can expect the front-end to check whether the back-end is ready on startup. But that’s a problem if you want it to stay off (and shut up) unconditionally.
\n\nThe workaround is then to let the Bluetooth daemon automatically start with AutoStart set to true, but directly disabling the wireless device with rfkill.
Unlike many others, I usually prefer handling “system-related issues” with “system-related tools”, instead of cheap hooks messy to maintain and always ending up requiring unnecessary privileges.
\nUsing systemd, we can easily implement this using unit overriding and built-in Service execution hooks :
systemctl edit bluetooth.service… and insert the following :
\n\n[Service]\nExecStartPost=/usr/sbin/rfkill block bluetooth\n\n\nNote that we do not reset with an empty string
\nExecStartPostentry first, so if one day Debian-based distributions decide to add another hook like that, this workaround wouldn’t break a thing, and will always be run afterwards.
Shoot-out to Norbert Preining for maintaining all those pieces of software available in Debian, for all these years, including Cinnamon :pray:
\n", "summary": "Some minor issues never disappear", "tags": ["Tutorials"] },{ "title": "Possible hot take about the new Riot Games anti-cheat policy", "date_published": "2020-04-18T13:01:00+02:00", "date_modified": "2020-04-18T13:01:00+02:00", "id": "https://samuel.forestier.app/blog/articles/possible-hot-take-about-the-new-riot-games-anti-cheat-policy", "url": "https://samuel.forestier.app/blog/articles/possible-hot-take-about-the-new-riot-games-anti-cheat-policy", "image": "https://samuel.forestier.app/img/blog/possible-hot-take-about-the-new-riot-games-anti-cheat-policy_1.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/possible-hot-take-about-the-new-riot-games-anti-cheat-policy_1.png\")
\n\n\nAs an introduction to the League of Legends / Riot Games / Tencent Holdings environment, I will only paste what I have written for an other unpublished post :
\n
League of Legends (below, “LoL”) is a MOBA still developed by its original publisher : Riot Games (USA).
\nRiot Games is, and has been for some years now, owned at 100% by Chinese (Tencent Holdings).
\nThere are still some serious working conditions issues at Riot place.
Some weeks ago, I’ve come across this click-baiting-but-technical blog post from Riot : /dev/null: Anti-Cheat Kernel Driver.
\nThe main goal of this solution is to load their anti-cheat in a more privileged environment than the cheats’ one.
\nI was not very keen about the idea (and I am not alone), but I naively thought that we would have some months of idealogical struggling ahead before really dealing with such an intrusive technology.
But more recently, it finally appeared “Project A” has been renamed to “VALORANT” and is already “available” through a really odd process, including another third-party platform (one more obscure partnership ?) :
\n\n![\"A](\"/img/blog/possible-hot-take-about-the-new-riot-games-anti-cheat-policy_2.png\")
Anyway, VALORANT, running in BETA with currently only few players, is acting as a production-grade testing environment for their new Vanguard anti-cheat solution.
\n\nNow look, let’s check again what an operating system kernel is supposed to do (from the Wikipedia page) :
\n\n\n\n\nThe kernel performs its tasks, such as running processes, managing hardware devices such as the hard disk, and handling interrupts, in this protected kernel space.
\n
Please help me, I can’t manage to find the part specifying it gives a special access to vendors for shipping their BLOB, running in a privileged and dangerous environment :roll_eyes:
\n\nIn computer science, if engineers happened to separate what is a matter of applications from what is a matter of system, there were (and there still are) good reasons.
\nIntel thought it could mix those, it ended up very badly.
\nAnd I mean, what could be more “applicative” than softwares developed by a video games company ?
\n\n\nAnd guys, I don’t expect the world to get a C.S. degree to remove an application from their system :cry:
\n
The point is, and I’m looking at you Riot, your code will contain vulnerabilities. It’s a fact, as it contains code rendering a “service”.
\nAnd you can argue it might be the most legitimate BLOBs Earth would ever known, it will anyway.
What would happen if a 0-Day is (un)discovered ?
\nYou would have (maybe) prevented a minority from bothering a part of the community, and greatly exposed tens Millions of players.
\nIs it worth the risk ?
\nIf I were a company’s CSO, I would not accept it.
\n\n\nPersonal two cents about cheating in LoL : In 7 years and thousands of games played, I only encountered a scripter once and, thanks to him, it wasn’t even in Solo Queue :smile:
\n
\nPersonal two cents direct comment : Maybe we (EUW players) are relatively spared from cheaters ? Do your statistics only address NA ?
List of (not-so)naive advices for Riot Games in their difficult fight on this (important) matter :
\n\nAbandon this idea (yeah, I know, sunk costs and friends) ;
\nPrefer the “human” approach by enhancing the Report feature if it requires to ;
Restore the Tribunal if you have to (??) ;
\nIf you really want to keep your low-level stuffs being used, please make them Open-Source and publicly audited.
\nI do hope too that you know you will f*ck impair all LoL GNU/Linux users once the official public client will be “patched” (and Lutris is already discouraging new players from “picking up League” :ok_hand: :joy:) :
![\"A](\"/img/blog/possible-hot-take-about-the-new-riot-games-anti-cheat-policy_3.png\")
\n\n\nBy the way, how are you gonna handle MacOS players ? Are you on the verge of coding a BSD kernel module too ?
\n
Anyway, I hope you also well-comprehend the problem of being owned by a Chinese group.
\nIf, one day maybe, Tencent decides to take over Riot’s games development back to China, players would end up having a ring-0 piece of software (in-)directly handled by the Communist Party :100:
\n\n\nNote to Epic Games shareholders : Don’t be stupid, keep those determinant 10% to stay you out of this contingency.
\n
So here we are, just wanted to add my two cents on the subject from my own PoV, hoping that divergent thoughts are the way forward to a better world, and that we cannot let those news handled by business vendors :
\n\n![\"A](\"/img/blog/possible-hot-take-about-the-new-riot-games-anti-cheat-policy_4.png\")
\n\n\nYes, the link refers to a store page to buy a product.
\n
\nNo, it’s not a joke (click on the link above if you don’t trust me).
To conclude, I’d refer to this Reddit thread, like often, encountered after the post redaction…
\n… and good luck to Riot that will have to deal with all of these users (well-)thinking that their computer is spying on them, because that’s definitely what their new “driver” is doing.
![\"A](\"/img/blog/how-to-fix-the-saboteur-installation-on-origin-and-windows-7_1.png\")
It’s COVID-19, Spring (sales), and Epic Games is still running an offensive “dumping” strategy against Steam on the video games market.
\nBut still, let’s talk about Origin today, the EA’s games platform.
I (very simply) wanted to enjoy Spring sales by getting a legit copy of the highly recommended The Saboteur (2009) game.
\n\n\n\n\nThis blog post has been written in English to higher its helping potential, nevertheless some screen-shots show French content as the target system is my personal setup here.
\n
So after having get a license, I have been downloading this piece of software, and (simply) expecting it to work out-of-the-box as any legitimately owned game.
\n\nAnd at this very moment (last step of the installation process), we got the (sadly) famous error message :
\n\n\n\n\nError: The .Net Framework redistributable package was not installed successfully. Setup cannot continue. (5100)
\n
Let’s take a look to the installer log (C:\\Program Files (x86)\\Origin Games\\The Saboteur\\__Installer\\InstallLog.txt) :
****************************************\nInstall Date: 04/12/2020\n12:28:18 Started logging\n****************************************\n\n12:28:18 Install Location: C:\\Program Files (x86)\\Origin Games\\The Saboteur\\\n12:28:18 [...]\n12:28:18 Touchup not running under compatibility mode\n12:28:18 [...]\n12:28:18 Processing EAIN file 'C:\\PROGRA~1\\ORIGIN~1\\THESAB~1\\__INST~1\\Touchup.dat'.\n12:28:18 Installation registry missing. Game not yet installed.\n12:28:18 (Config)Studio: Electronic Arts\n12:28:18 (Config)Game Name: The Saboteur\n12:28:18 (Config)Display Game Name: The Saboteur\n12:28:18 (Config)Updating ForceUninstallAllFiles to: 0\n12:28:18 (Config)Updating ForceUninstallAllFiles to: 1\n12:28:18 EAI data version: 5.03.02.00\n12:28:18 [...]\n12:29:53 Started DotNet runtime install phase for: dotnet35sp1\n12:29:53 Launching process:\n Command: \"C:\\PROGRA~1\\ORIGIN~1\\THESAB~1\\__INST~1\\dotnet\\dotnet35sp1\\redist\\dotnetfx35.exe\" /q /norestart\n Working directory: C:\\PROGRA~1\\ORIGIN~1\\THESAB~1\\__INST~1\\dotnet\\dotnet35sp1\\redist\\\n12:29:53 Process exited with exit code 5100.\n12:29:53 Error installing DotNet runtime.\n12:31:45 Installer finished with exit code: 1\n12:31:45 Shutting down data reader.\n\n****************************************\n12:31:45 Stopping install logging\n****************************************The program to incriminate is this one : C:\\Program Files (x86)\\Origin Games\\The Saboteur\\__Installer\\dotnet\\dotnet35sp1\\redist\\dotnetfx35.exe.
\nIt’s actually an official .NET Framework 3.5 SP1 installer wizard shipped by the Origin team along with the game to meet required dependencies (SHA256 : 6ba7399eda49212524560c767045c18301cd4360b521be2363dd77e23da3cf36).
Anyway, if you do try to install it manually, the wizard will “advise” you to use “Programs and Features” and “enable” it from there.
\n\n![\"A](\"/img/blog/how-to-fix-the-saboteur-installation-on-origin-and-windows-7_2.png\")
Actually, if you got on this blog post, you might have sadly noticed the feature is already enabled :joy:
\n\n![\"A](\"/img/blog/how-to-fix-the-saboteur-installation-on-origin-and-windows-7_3.png\")
What the EA team definitely missed is that, since October 2019, Micro$oft released .NET Framework 4.8 for Windows 7 SP1 (and above) through Windows Update (KB4503548). And it appears installing 3.5 on Windows 7 if this update is installed is broken.
\n\n![\"A](\"/img/blog/how-to-fix-the-saboteur-installation-on-origin-and-windows-7_4.png\")
So let’s trust Micro$oft when they say the 3.5.1 version is installed (from here : “.NET Framework [4.8] runs side-by-side with the .NET Framework 3.5 SP1”), and let’s try to “imitate” a successful installation of the latter.
\n\nOne more issue, Origin bundles Touchup.exe, a program being run by Origin itself to install the game and its requirements.
\nI imagine it refers to the respective Touchup.dat file that should contain the dependencies list, but we can’t really open and edit such a BLOB, as we would maybe have done against a regular configuration file.
![\"A](\"/img/blog/how-to-fix-the-saboteur-installation-on-origin-and-windows-7_5.png\")
\n\n\nSo, how could I possibly trick
\nTouchupand make it think the .NET dependency is already anyhow satisfied ?
Yes nice catch, here is a solution.
\nOpen up a commands prompt (as cmd.exe or powershell.exe), and navigate through your file system until you encounter an executable program (your Web browser main binary for instance).
\nRun it with the same parameters passed by Touchup, close its GUI if one opened up, and check its exit code :
cd .\\a\\windows\\directory\\path\n\\.program_name.exe /q /norestart\necho %errorlevel%\n:: Replace `%errorlevel%` by `$?` on PowerShell.If the prompt prints 0 (or True on PowerShell), stop right here : You got a candidate.
\nCopy the binary program as C:\\PROGRA~1\\ORIGIN~1\\THESAB~1\\__INST~1\\dotnet\\dotnet35sp1\\redist\\dotnetfx35.exe (you should make a backup of the original dotnetfx35.exe before).
Once it’s done, you may try to run the game installation from Origin again, and… surprise :tada:
\n\n\n\n\nBut what if I can’t manage to find any program exiting with
\n0?
It’s I.T., you can build your own using Code::Blocks for instance :wink:
\n\nQuicker solution, vlc.exe (yes, the awesome video player from VideoLAN) is a candidate.
#include <stdio.h>\n\n\nint main(int argc, const char* argv[])\n{\n printf(\"I\\'m about to trick Touchup !\");\n\n return 0;\n}Paste the snippet above, compile it using the shipped-in MinGW, fetch the resulting .EXE under your newly created project’s release build directory and rename it as dotnetfx35.exe.
Congratulations, you got your own .NET Framework 3.5 SP1 installer now :trollface:
\n\nSo you’d have understood, here we worked around the installer non-modularity (and bug ?) by emulating a 0 exit code that would cause Touchup.exe to successfully exit too, tricking Origin and making it set the game as correctly and fully-installed in its local database…
Before leaving and hoping that this piece of writing helped you, an advice for the EA development managers : If your launcher s*cks before AND after its rewrite, maybe it’s actually time to change the chair/keyboard middlewares (and rewrite it again), isn’t it ?
\n", "summary": "It's 2020, and there are still .NET issues within commercial programs...", "tags": ["Tutorials"] },{ "title": "nftables hardening rules and good practices", "date_published": "2020-03-20T11:30:00+01:00", "date_modified": "2023-01-19T00:00:00+01:00", "id": "https://samuel.forestier.app/blog/security/nftables-hardening-rules-and-good-practices", "url": "https://samuel.forestier.app/blog/security/nftables-hardening-rules-and-good-practices", "image": "https://samuel.forestier.app/img/blog/nftables-hardening-rules-and-good-practices.png", "author": { "name": "Samuel FORESTIER" }, "content_html": "![\"A](\"/img/blog/nftables-hardening-rules-and-good-practices.png\")
From the official documentation website, nftables is :
\n\n\n\n\n[…] the new packet classification framework that
\nintends toreplaces the existing {ip,ip6,arp,eb}_tables infrastructure.
I won’t be listing all the pros and cons of using nftables over iptables, but simply citing the dedicated section of the Netfilter Wikipedia page :
\n\n\nThe main advantages over iptables are simplification of the Linux kernel ABI (Application Binary Interface, ed.), reduction of code duplication, improved error reporting, and more efficient execution, storage, and incremental changes of filtering rules.
\n
Wow ! What an introduction.
\n\nAs it should be considered as the-way-of-managing-Netfilter since 2016, I was pretty frustrated not to find any “hardening” guide for it on the Web, so here is one !
\n\n\n\n\nNote : I’ll be using the declarative nftables scripting format, much more clear IMHO.
\n
#!/usr/sbin/nft -fThis will allow you to run a regular chmod +x on your rules definition file, and if you’re editing it with Sublime Text, the Nftables syntax definition will be automatically set (that was the moment of self-promotion, which doesn’t happen very often).
I don’t know what your current ruleset looks like (and maybe you don’t know too :fearful:), so let’s clean it up in an nft fashion :
flush ruleset\n\n\nNote : By not specifying any network family type, all existing tables will be removed.
\n
\n\n\n“Anything that is not explicitly permitted is prohibited.”
\n
\n— M. S.
With iptables, you would have (and I hope you did) set DROP policies on each default FILTER chains with :
iptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT DROP\n\nip6tables -P INPUT DROP\nip6tables -P FORWARD DROP\nip6tables -P OUTPUT DROPWe will drop any thoughts we may have about that, and simply look at how we can reproduce the same behavior with nftables :
table inet filter {\n\tchain input {\n\t\ttype filter hook input priority 0; policy drop;\n\n\t\t# ...\n\t}\n\n\tchain forward {\n\t\ttype filter hook forward priority 0; policy drop;\n\n\t\t# ...\n\t}\n\n\tchain output {\n\t\ttype filter hook output priority 0; policy drop;\n\n\t\t# ...\n\t}\n}Describing an inet table allows us to handle any IPv4 (ip) and IPv6 (ip6) packets at the very same location (you know DRY and so on).
\nWith each chain bound to its respective hook, and policies set to drop, we can be sure that our default skeleton will, at this step, reject any packet.
\n\n\nNote : If you (accidentally) forgot how Netfilter handles packet flow, here is a[n] (almost-complete) reminder.
\n
![here](\"https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg\"){kind=link}
table netdev filter {\n\tchain ingress {\n\t\ttype filter hook ingress device eth0 priority -500;\n\n\t\t# IP FRAGMENTS\n\t\tip frag-off & 0x1fff != 0 counter drop\n\n\t\t# IP BOGONS\n\t\t# From <https://www.team-cymru.com/bogon-reference.html>.\n\t\tip saddr { \\\n\t\t\t\t0.0.0.0/8, \\\n\t\t\t\t10.0.0.0/8, \\\n\t\t\t\t100.64.0.0/10, \\\n\t\t\t\t127.0.0.0/8, \\\n\t\t\t\t169.254.0.0/16, \\\n\t\t\t\t172.16.0.0/12, \\\n\t\t\t\t192.0.0.0/24, \\\n\t\t\t\t192.0.2.0/24, \\\n\t\t\t\t192.168.0.0/16, \\\n\t\t\t\t198.18.0.0/15, \\\n\t\t\t\t198.51.100.0/24, \\\n\t\t\t\t203.0.113.0/24, \\\n\t\t\t\t224.0.0.0/3 \\\n\t\t\t} \\\n\t\t\tcounter drop\n\n\t\t# TCP XMAS\n\t\ttcp flags & (fin|psh|urg) == fin|psh|urg counter drop\n\n\t\t# TCP NULL\n\t\ttcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop\n\n\t\t# TCP MSS\n\t\ttcp flags syn \\\n\t\t\ttcp option maxseg size 1-535 \\\n\t\t\tcounter drop\n\t}\n}Here, the table has been declared with a netdev network family type. It means that any incoming packet from layer 2 would go through the created chain, as an ingress hook has been set.
You may also have noticed the -500 priority. By setting it lower than NF_IP_PRI_CONNTRACK_DEFRAG (= -400), we are sure that our chain will be evaluated before any other one registered on the ingress hook. This makes it the perfect place to set our DDoS counter-measures, as we would “spare” a few CPU cycles per packet.
About the rules themselves, there are two kind of statements (decisions) : those that are terminal, and those which are not. For instance, drop is terminal (a verdict), whereas counter is not.
\nThus, we may specify counter drop, to make Netfilter count the number of packets matching the rule, and drop them at the same time (very useful for debugging purposes).
\nNo need to duplicate weird iptables calls anymore (calls that were duplicating Netfilter registered rules by the way :roll_eyes:).
\n\n\nNote on “Bogons” : If you got an IPv6 stack, you might be interested in the IPv6 Full Bogons list.
\n
A regular anti-DDoS rule is to block new packets that are not SYN.
\n\n\nWhy didn’t you add such a rule to the previous code snippet then ?
\n
Well, in order to match “new” packets, we need the help of the conntrack Netfilter module.
\nThe problem : It’s not available within a chain registered with the ingress hook, that’s why we gotta use it elsewhere.
\nLet’s then take the firstly encountered other “location” on the Netfilter flow : the PREROUTING chain of the filter table, at the mangle (-150) priority.
table inet mangle {\n\tchain prerouting {\n\t\ttype filter hook prerouting priority -150;\n\n\t\t# CT INVALID\n\t\tct state invalid counter drop\n\n\t\t# TCP SYN (CT NEW)\n\t\ttcp flags & (fin|syn|rst|ack) != syn \\\n\t\t\tct state new \\\n\t\t\tcounter drop\n\t}\n}The first rule would drop any packet flagged as invalid by the conntrack module.
\nThe second would do the same for any new packet, presenting any other TCP flag beside SYN.
Here is the final skeleton detailed above :
\n\n#!/usr/sbin/nft -f\n\n\nflush ruleset\n\n\ntable netdev filter {\n\tchain ingress {\n\t\ttype filter hook ingress device eth0 priority -500;\n\n\t\t# IP FRAGMENTS\n\t\tip frag-off & 0x1fff != 0 counter drop\n\n\t\t# IP BOGONS\n\t\t# From <https://www.team-cymru.com/bogon-reference.html>.\n\t\tip saddr { \\\n\t\t\t\t0.0.0.0/8, \\\n\t\t\t\t10.0.0.0/8, \\\n\t\t\t\t100.64.0.0/10, \\\n\t\t\t\t127.0.0.0/8, \\\n\t\t\t\t169.254.0.0/16, \\\n\t\t\t\t172.16.0.0/12, \\\n\t\t\t\t192.0.0.0/24, \\\n\t\t\t\t192.0.2.0/24, \\\n\t\t\t\t192.168.0.0/16, \\\n\t\t\t\t198.18.0.0/15, \\\n\t\t\t\t198.51.100.0/24, \\\n\t\t\t\t203.0.113.0/24, \\\n\t\t\t\t224.0.0.0/3 \\\n\t\t\t} \\\n\t\t\tcounter drop\n\n\t\t# TCP XMAS\n\t\ttcp flags & (fin|psh|urg) == fin|psh|urg counter drop\n\n\t\t# TCP NULL\n\t\ttcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop\n\n\t\t# TCP MSS\n\t\ttcp flags syn \\\n\t\t\ttcp option maxseg size 1-535 \\\n\t\t\tcounter drop\n\t}\n}\n\ntable inet filter {\n\tchain input {\n\t\ttype filter hook input priority 0; policy drop;\n\n\t\t# ...\n\t}\n\n\tchain forward {\n\t\ttype filter hook forward priority 0; policy drop;\n\n\t\t# ...\n\t}\n\n\tchain output {\n\t\ttype filter hook output priority 0; policy drop;\n\n\t\t# ...\n\t}\n}\n\ntable inet mangle {\n\tchain prerouting {\n\t\ttype filter hook prerouting priority -150;\n\n\t\t# CT INVALID\n\t\tct state invalid counter drop\n\n\t\t# TCP SYN (CT NEW)\n\t\ttcp flags & (fin|syn|rst|ack) != syn \\\n\t\t\tct state new \\\n\t\t\tcounter drop\n\t}\n}You “only” have to complete it with your own rules now :wink:
\n\n\n\n\nNote : If you are interested in a migration from
\niptables, you might wanna read this.
If you think that something is definitely missing (or wrong !), please feel free to leave a comment below, as usual :ok_hand:
\n\nSetting up a server firewall with nftables that support WireGuard VPN
\nThanks to Timo for their improvement of conntrack-based hardening rules
Thanks to Thomas for digging up the MSS “off-by-one” error and fixing the TCP XMAS detection rule
\n