Category: Posts

Note: Roam Mobility is no longer in business as of June 30, 2020 (see the MobileSyrup article.)

I recently returned from a five day trip to Las Vegas, to once again play the low-limit blackjack at Hooters Casino Hotel, enjoy the complimentary drinks and see a few shows. I’ve done this before with friends, but the first major change is that this is the first year I’ve had cell coverage in the US thanks to Roam Mobility. I’d used them on a conference trip to San Francisco earlier this year and it was quite handy.

The general principle is that you pay $4/day for unlimited talk/text (including voice/SMS back to Canadian numbers), and also get a 300MB allotment of 4G/LTE data per day of the plan. Thus, if you buy three days you get 900MB to use at any time during the total plan. If you go through the allotment, it degrades to “unlimited” data at EDGE/128kbps speeds.

Continue reading

(Post updated 2015-05-07 with the results of some helpful feedback from mbrowne. Comments, GitHub issues and pull requests are always welcome!)

I maintain a Github repository of small useful scripts (at least to me) and occasionally get comments or email about them. I received an email yesterday asking about WordPress file permissions when applied with wpfix.py, which is a simple Python wrapper around a few common filesystem operations. I’d initially written about it a few years ago as a utility to allow sites to auto-update.

Since wpfix.py was written, it appears that there have been some changes in the way that WordPress performs upgrades. I’ll excerpt the issue from the original email:

I have recently ran your script on our wordpress website to fix permission issue.

But we are getting below error while we try to upgrade wordpress from admin panel.

 

“This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php”

 

When i look the permission I could see update-core.php file have only read permission for webserver user “www-data”. Is your script designed to set 644 for files in this folder ?

-rw-r--r-- 1 username www-data  47326 Aug  1 06:09 update-core.php

 

I took it upon myself to read some of the WordPress code that performs core updates, as well as some of the documentation. To answer the original question, wpfix.py does set 644 permissions on all WordPress files in the directory tree, then goes through the wp-content directory and adds group write permissions only where necessary.

The auto-update documentation at http://codex.wordpress.org/Hardening_WordPress states:

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

Unfortunately this doesn’t seem to match with the behavior in the code – when a direct FS_METHOD is used for manipulating files rather than through FTP or SSH, operations get performed as the web server user (www-data). Therefore, the 644 permissions on wp-admin are too restrictive to allow core upgrades.

There are a few solutions to this problem:

• If you do not accept the risks of having the webserver (www-data) user having write access to your WordPress contents, use the wp-cli (http://wp-cli.org/) core update command running as the user that owns the WordPress files. This is my preferred method and it can be scripted to batch update sites.
• If you completely control the webserver and can be assured that nobody will upload a potentially malicious plugin or execute code that traverses the filesystem, set the permissions to 664 for all files (not directories) under wp-admin and wp-includes directories and have the group set to www-data:


  • find $WORDPRESS_DIR/wp-admin -type f -exec chmod 664 {} \;
    find $WORDPRESS_DIR/wp-includes -type f -exec chmod 664 {} \;
    chgrp -R www-data $WORDPRESS_DIR/wp-{admin,includes}

  • I would not recommend this in a shared hosting environment. When you upgrade, the more permissive group write flag will be preserved on these files (see the WP_Filesystem function in wp-admin/includes/file.php for details on how FS_CHMOD_DIR and FS_CHMOD_FILE are set.)
• If you have FTP or SSH access to the server, and want to upgrade using this technique, remove the define('FS_METHOD', 'direct'); line from wp-config.php. This ensures that file delete, write and move operations are performed as the FTP/SSH user.

I will be adding parameters to wpfix.py shortly to address the last two points, and allow users to either set more permissive permissions on wp-admin/wp-includes directories or remove the FS_METHOD define.

Huge thanks to Matt Hopton at “How Do I Computer?” for this informative article on fixing DFS replication issues with the SYSVOL directory. In my case, symptoms were similar – AD group policies weren’t being successfully updated at a remote site with its own read-only domain controller. This was present in gpresult /h output.html, where scripts that had recently been added at logon to the main office DC earlier in the day were not able to be found on the branch domain controller.

Some additional notes:

• Look in Event Viewer under Applications and Services Logs > DFS Replication for a warning with ID 2213, which provides the wmic command needed to resume replication
• If the DC has been out of sync too long, there will be an Error with ID 4012; use:wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=65and replace 65 with a number that is above the “server has been disconnected from other partners” value. Then, rerun the wmic command from the first event. Give it a few minutes and be patient and if all goes well, another event will pop into the log indicating successful initialization of the SYSVOL folder.

After a bit of house tidying over the past few days, I managed to locate the power adapter for my Lenovo X230 laptop. Upon booting it up I realized that it had accumulated a number of outdated applications and crufty configurations, so I wanted to restore it to factory settings. Ordinarily I would immediately image with a stock Windows ISO, but since I’d paid for a Win7 Pro license, and wanted all the Lenovo applications restored (volume/brightness OSD, battery monitor in taskbar) I specifically wanted to restore to the OEM version and then remove the trialware.

Continue reading

(Update 2015-09-20: Several readers have also reported that the instructions in this post to set the Static Port flag for the WiiU’s outbound NAT also seems to help with Splatoon connectivity issues. Following this logic, this change may work for any WiiU game that shows similar problems.)

One of the more entertaining games I’ve played recently has been Mario Kart 8. Even though I’m not very good, it’s great with friends, despite what seems like Nintendo’s complete aversion to online gaming.

Since I’m used to the better mechanism of party chat on Xbox Live, typically I run Skype on a laptop throughout the session to the group of friends I’m playing with. The MacBook Pro built-in mic/speaker combination does decent enough noise cancellation, which means that multiple players in the same physical room can both spew profanity and have profanity spewn right back.

Continue reading

Recently I decided to rebuild our main Debian Squeeze host as a 64-bit Debian Wheezy (7.0; I believe the template is 7.3 as of the time of this writing) VPS. This box runs web hosting, email, internal IRC, shell access and basically any other services that one of our beloved sudoers would like to try. Both of these hosts live in Linode’s Newark datacenter.

Linode will pro-rate your account if you cancel a server in the middle of a month, so both instances (old and new) are currently running for a minimal net cost. You can also assign private IPs to each host and SCP data or mount NFS between servers without cutting into your bandwidth quota, as well as attain a slight transfer speed improvement. This gives us plenty of time to move finicky services and make sure that the new configuration is working as intended. We’ve been cutting over individual user websites and mail services one by one to lessen the impact.

One of the problems I ran into that did not exist on the old host was email forwarding. We use the Linode Library: Email with Postfix, Dovecot, and MySQL article as a basis for a mail server that supports multiple domains, IMAP mailboxes and aliases that forward to multiple accounts. Most of our traffic is forwarding operations, typically to multiple users at once as sort of a poor-man’s distribution list. The main forwarder is an internal alias for Slightly Sauced group discussions, which sends messages out to everyone’s preferred mail provider.

Initially there didn’t seem to be any problems with the mail setup. I use Exchange Online for my personal email and messages were coming and going properly to me. When I went to reply to an existing thread, I soon got a bounceback message from for only a few email recipients the list. Checking /var/log/mail.log, I found the following lines (truncated for brevity and sanitized to not mention any specific email addresses):


Feb 26 21:58:24 services02 postfix/qmgr[28676]: 2F6FA6AB68: from=<me@example.com>, size=31176, nrcpt=9 (queue active)
Feb 26 21:58:24 services02 postfix/smtp[10250]: 2F6FA6AB68: to=<recipient1@googleapps.example.com>, orig_to=<distribution@example.com>, relay=ASPMX.L.GOOGLE.com[2607:f8b0:400d:c04::1b]:25, delay=8.6, delays=8/0.01/0.13/0.46, dsn=2.0.0, status=sent (250 2.0.0 OK 1393451904 g88si838453qgf.126 - gsmtp)
Feb 26 21:58:24 services02 postfix/smtp[10253]: 2F6FA6AB68: to=<recipient2@dreamhost.example.com>, orig_to=<distribution@example.com>, relay=mx1.sub4.homie.mail.dreamhost.com[208.97.132.226]:25, delay=8.7, delays=8/0.02/0.24/0.39, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 84D4B76807B)
Feb 26 21:58:24 services02 postfix/smtp[10251]: 2F6FA6AB68: to=<recipient3@gmail.example.com>, orig_to=<distribution@example.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1a]:25, delay=8.7, delays=8/0.01/0.06/0.58, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1a] said: 550-5.7.1 [2600:3c03::f03c:91ff:fe6e:423f 12] Our system has detected that 550-5.7.1 this message is likely unsolicited mail. To reduce the amount of spam 550-5.7.1 sent to Gmail, this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. r6si610718qcl.69 - gsmtp (in reply to end of DATA command))
Feb 26 21:58:26 services02 postfix/smtp[10252]: 2F6FA6AB68: to=<recipient4@exchange.example.com>, orig_to=<distribution@example.com>, relay=example-com.mail.protection.outlook.com[207.46.163.215]:25, delay=11, delays=8/0.02/0.34/2.3, dsn=2.6.0, status=sent (250 2.6.0 <72c119e2692a422cbc733234ced8599a@SN2PR03MB046.namprd03.prod.outlook.com> [InternalId=49989124371267, Hostname=BY2PR03MB041.namprd03.prod.outlook.com] Queued mail for delivery)
Feb 26 21:58:26 services02 postfix/bounce[10256]: 2F6FA6AB68: sender non-delivery notification: D6C4C6AB90


The first thing I noticed is that the users on Dreamhost IMAP, Exchange Online, and Google Apps / Google Hosted accounts did not have the forwarded message rejected. Forwards going to straight @gmail.com addresses were immediately rejected. I reviewed the Google Support document without much luck, and then stumbled across some documentation from Tanguy Ortolo about Google’s IPv6-related email restrictions. While Tanguy’s workaround was a good one (force IPv4 connections to Google mail servers), I tried to solve the problem while maintaining IPv6 connectivity. Linode does let you set reverse DNS (PTR) records for both IPv4 and IPv6 addresses, as long as they forward-resolve correctly.

• In the Linode control panel or your own DNS management system, establish A and AAAA records for the server that is transmitting email. (eg: mailserver01.example.com.) Wait for the records to be resolvable and check with the dig a $hostname; dig aaaa $hostname commands on an IPv6 enabled system.
• In the Linode control panel, find the individual VPS and access Remote Access. In the Public IPs section, click Reverse DNS.
• On the Reverse DNS page, look up the domain name (mailserver01.example.com) with the provided tool. If your A and AAAA records are present and functional, Linode will ask whether you would like to use mailserver01.example.com as the reverse DNS entry for both your IPv4 and IPv6 addresses. Click Yes to both options.

Within 24 hours, forwarded mail flow to Gmail accounts should begin working properly.

I also took this opportunity to update my SPF records as Exchange Online was fairly restrictive about certain types of messages that I sent through this server. I had to update my SPF record to: v=spf1 a mx include:spf.protection.outlook.com include:example.com ~all, where example.com was the domain of our Debian mail server that had its own SPF record.

Update, June 29/14: You also want to ensure that your SPF record doesn’t have more than ten total DNS lookups, recursively including all ‘include:’ directives. Exchange Online adds quite a few. Use http://www.kitterman.com/spf/validate.html to confirm that the SPF entry passes with the pyspf checker.

For future reference and edification: on certain Supermicro motherboards running OSes of Windows 7 or newer (including the Server variants like 2008 R2 or 2012), USB keyboard and mouse devices will act ‘stuttery’ or freeze during input. The issue I encountered was specifically missing keystrokes or repeated letter presses, and appeared to be present even before the OS had booted.

A response in the Spiceworks community pointed me to the Supermicro FAQ, which states:

Question
In X9DRW-iF, USB Mouse can’t work under Winodws 7.

Answer
Please change “ISOC” setting from disable to enable in the BIOS menu for problem solving. (This item locates at Advanced / Chipset / NB / QPI Config –> ISOC)

To clarify, reboot the server and get into BIOS by pressing Delete at startup when prompted. “NB” refers to North Bridge.

I’ve recently run into a few issues with my home networking setup. In pure overkill fashion, I’ve bought some new hardware to deal with it all and hopefully, in the process, learn a bit more about different network configurations.

One of my main problems at this point is related to location. After buying a house last year, I still have yet to make significant progress on the “Ethernet to every room” project. Wireless is great and has drastically improved since the early gear, but even the 802.11ac standard and equipment is no substitution for the reliability and consistent speed of a gigabit wired line. ac routers right now can push 180Mbps throughput at 1 meter, but quickly diminish based on additional distance, other devices and the wireless adapters involved in the whole fiasco.

For the wired setup, I have all of the means to complete the process – or at least think I do until moving to whatever the next phase of the process is. At that point there’s usually much cursing, an order or two to Monoprice, and even a trip to Home Depot. Over the year I’ve relocated my folding table of tech gear to the basement, and there’s already quite a convenient hole in the floor to run some wiring through. As a result, my main tech closet in the basement all runs Ethernet, and I’m less inclined to start sawing drywall and drilling holes to the second floor on a whim.

Another problem I was seeing was poor wireless and routing performance in general. I’ve had the Netgear WNDR3700 in place for about two years now, and it’s run both stock firmware and DD-WRT with various success. I’d highly recommend the router with stock firmware for most home configurations, but DD-WRT seems to occasionally stop sending and receiving traffic on the 5GHz wireless interface.

With a router replacement, there are three main components to be aware of:

• Router/NAT device, to handle Internet connection traffic and route it to the corresponding internal client
• Switching equipment – usually built in to the router, but additional capacity is generally needed down the line for more than four systems or avoiding lengthy cables
• Wireless radio interface – again, usually built into the router

I decided to split this up a bit into its logical components. For the router/NAT device, my friend Matt sold me on a Lanner FW-7540, which is essentially a small-form-factor box with four Intel gigabit Ethernet ports and a dual-core Intel Atom CPU. The machine easily runs software like pfSense, which is a FreeBSD distribution with a Web interface and some configuration utilities on top. It’s incredible software and very powerful.

For switching equipment, I turned off DHCP on the Netgear router and am not using the WAN (Internet) port, turning it into a wireless access point plus four-port gigabit switch. I believe there is an option to reassign the WAN port to a LAN port, but I am not entirely lacking for ports near the cable modem at this point. Other locations in the house utilize 8-port Monoprice gigabit switches and that’s probably what I’d put in if the Netgear died or started acting up.

The last part of the equation is wireless access, and I’m waiting for the Ubiquiti UniFi AP AC to become reasonably commercially available. For now, I’m expecting a UniFi AP Pro to start. Even in a residential neighbourhood, I typically see upwards of a dozen networks in range and would like a more powerful, better-located access point to serve the systems here.

So, what have I learned about this setup?

Serial access to the Lanner console is a bit of a fun time. The device includes an RJ-45 to DB-9 serial adapter, so I had to hunt for which devices around the house had a serial port. You’ll also want to have a basic understanding of how serial terminals work.

Installing pfSense – when picking the kernel, select the option that is not symmetric multiprocessing, or you’ll lose console access on the first boot. Initial configuration for making the device behave like a usual router/switch involves not only setting up “OPT1” and “OPT2” interfaces to be bridged to the LAN, but configuring the built-in firewall to allow all traffic between them. I accidentally set the firewall allow rules to only let TCP traffic pass between the network interfaces, and that basically ruined functionality for anything plugged into ports 3 and 4 on the Lanner.

IP range selection is a good thing to plan out completely, especially if you’re a moron and pick the same range that your office uses to assign to VPN clients and a number of internal systems. Stick to low-numbered 192.168.x.y subnets to interfere with the least amount of connectivity, and select the appropriate netmask. I picked 10.0.0.0/8 and was in a world of hurt reconfiguring the network the next time I had to work from home.

Don’t dual DHCP or you’ll end up with what looks like periodic packet loss. Running a continuous ping to the router showed maybe two “Request timed out” results every twenty minutes or so. This interrupted music mounted from another computer as well as the Internet connection. Make sure all other DHCP servers are turned off or locked down appropriately!

(Messages in the pfSense logs for this condition look like repeated instances of the following block)

Apr 15 01:18:02 pfsense kernel: arp: 192.168.1.100 moved from 00:1b:21:b0:7e:bb
to 34:bb:1f:bb:0a:f8 on em1
Apr 15 01:18:15 pfsense kernel: arp: 192.168.1.100 moved from 34:bb:1f:bb:0a:f8
to 00:1b:21:b0:7e:bb on em1

Update 1: Useful sites that helped sort this out were:

• http://doc.pfsense.org/index.php/ARP_moved_log_messages
• http://forum.pfsense.org/index.php?topic=1753.0

And finally, have a UPS on all critical parts of the network path. They’re reasonably inexpensive and it’s nice to be able to still have Internet access during a power outage situation.

Problem: The Mac App Store on my laptop refused to allow me to update existing applications, download new ones, sign in to my account or view existing downloads. Trying the “Store > Sign In” and “Sign In” link from the Featured page both refused to display the usual login dialog. Attempting to update existing applications showed the usual “spinner” in the top toolbar with no progress.

Dead ends: Suggested on the Apple Discussion forums, there were several items suggesting anti-virus and firewall involvement. None of these were applicable to my situation and I was attempting all of these actions from an unrestricted TekSavvy cable connection.

Solution: This post on the Apple Discussion forums provided the initial help, but was incomplete in its solution. First, close out the App Store, then enable the debug menu by running

defaults write com.apple.appstore ShowDebugMenu -bool true

from the Terminal. Launch the App Store again, and choose Debug > Clear Cookies and Debug > Reset Application. Quit and relaunch the App Store, and you should be able to sign in and download updates successfully.

Again, in case I forget: If you’d like to reset a WordPress password from the database or create a new administrative user:

1. Generate a PHPass hash using this mainframe8 tool.
2. Insert a new row, or update an existing row, in the wp_users table. Use the hash from the tool in the user_pass column.
3. If you’re adding a new administrator, insert the following values into wp_usermeta and replace user_id (2 in this example) with the newly created account’s ID:

   INSERT INTO wp_usermeta (`umeta_id` , `user_id` , `meta_key` , `meta_value`) VALUES
   (NULL , '2', 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}'),
   (NULL , '2', 'wp_user_level', '10');

4. Enjoy a fixed WordPress admin account.