FreeBSD: when did I last update my ports/packages?

This tip is again FreeBSD only, and won’t work on Linux.

So it’s been a while since you updated your ports and/or packages, and actually you don’t remember exactly when. And now you’re ready to run a new update, but you don’t know from where to start reading /usr/ports/UPDATING before you update.

Luckily, this information can simply be extracted from the SQLite database that contains info on all installed packages. Add the following alias to your ~/.bashrc:

alias pupl='sqlite3 /var/db/pkg/local.sqlite "select datetime(time, \"unixepoch\") from packages order by time desc limit 1"'

Clearly, if you don’t use the Bash shell, you should figure out how to add aliases in your shell. The alias will be active after you re-login; invoke it like any other command.

$ pupl

This alias will display the date and time that the last package or port was updated or installed.

Note: if you last installed a package without updating the already installed packages, this alias will display the date and time for the last installation, and not for the last update!

If you’re going to play around with that database to see what other info you can extract from it, you should probably make a copy of it, to make sure you don’t accidentally write to the original; you don’t want to mess up your package database.

P.s.: the name for the alias comes from ‘Ports UPdated Last’; change it to anything you like.

Related: puptd

9GAG: Hide anonymous posts

There’s probably a rather small audience for this tip.
I’ll share it anyway.

9GAG decided to display usernames of OPs. Which is mostly a good thing, as it seems to have reduced double posts, bot posts and spam posts.
However, posters can still indicate that they want to be anonymous. Posts from these OPs are then posted under the generic fake username 9GAGGER, a user that cannot be blocked. And obviously there are posters who abuse this possibility to continue to post bullshit posts.

Luckily it’s not very hard to just hide all posts from fake user 9GAGGER; in your desktop browser, that is.

Install the uBlock Origin add-on in your browser.
Open it’s settings, and add this filter on the My filters tab:

9gag.com##article:has(a.ui-post-creator__author:has-text(/^9GAGGER$/))

Hit the Apply changes button, and you’re done.

All anonymous posts will now be hidden. Mind you: they are still loaded, they are just hidden from sight.

Obviously, you can also use this to hide other users’ posts. This way you won’t have to create an account just to ignore certain users. Just replace 9GAGGER with the user to be ignored in the rule above; make sure to leave the caret ( ^ ) before the username intact, as well as the dollar sign ( $ ) behind it.
You can make as many of these rules as you like, one rule per line.

Additionally, if you don’t have a 9GAG user account, you can’t make ‘sensitive content‘ visible, so you might as well filter that out, too:

9gag.com##article:has(div.post-sensitive-mask__body)

And personally I have configured my browser to block all YouTube content (or all Google content, actually), so I don’t need 9GAG to display these ’empty’ posts either:

9gag.com##article:has(div.youtube-post)

Tip:
If you now have both the uBlock Origin and uMatrix add-ons installed, you could copy the rules from uMatrix‘ My rules tab to uBlock‘s My rules tab. Both add-ons are created by the same developer team, and the rules are compatible. You could then disable or uninstall uMatrix.
You may have to add some new rules to get some sites working again, though, since uBlock Origin blocks a bit more than uMatrix.
The uMatrix GitHub repository has been archived, so I think uMatrix may be retired soon (although I have not been able to find any confirmation about that).

Custom kernel on a remote host

This is a FreeBSD tutorial; it’s useless for Linux.

The FreeBSD handbook describes how to build a custom kernel. However, this documentation assumes that you have access to the boot menu in case the new kernel won’t boot. And on a remote server this is not always an option.
So I will describe the process for building a custom kernel on a remote server here. For clarity and sysadmin friendliness I will start at the beginning, instead of only explaining how to boot the old, working kernel if something is wrong with your new kernel.

Read More

Password generation

Let’s do a quickie, because it’s been a while…

Did you know that if you type password 32 into DuckDuckGo, it will generate a 32 character random password?

→ https://duckduckgo.com/?q=password+32

To generate a stronger password, with 1 or more special characters, add the word strong.

→ https://duckduckgo.com/?q=password+strong+32

The 1 thing that’s missing in 2FA

Wikipedia, Twitter, GitHub, Trello, …
Hundreds, if not thousands of websites require multi-factor authentication, or at least offer it as a complementary security measure.

WordPress, Roundcube, Kanboard, Nextcloud, …
Hundreds, if not thousands of web applications offer multi-factor authentication by default or as a module/plugin.

And yet, there is one thing that none of all these 2FA developers/implementors have thought of. And since I don’t have the time, nor the desire, to submit a bug report for each of these thousands of applications and websites, I’m just going to say it here. Kudos to all developers who read this, realize that I’m right, and implement this.

IF AND WHEN SOMEONE REACHES MY 2FA FORM AND CANNOT COMPLETE IT, I WANT TO BE NOTIFIED!

If someone reaches the 2FA form, this means that they have correctly entered my password.
If someone cannot complete the 2FA form, this means that they probably do not have my phone or 2FA device.
So it is very probable that someone who cannot complete the 2FA challenge IS NOT ME.
This means that someone who is not me has managed to correctly enter my password.

This means that very probably my password has been compromised, and I must change it. NOW!

So, if the above is too much text for you, let me summarize below:

IF SOMEONE CANNOT COMPLETE MY 2FA CHALLENGE,
THEY HAVE PROBABLY ALREADY COMPROMISED MY PASSWORD,
AND I NEED TO KNOW ASAP!

And actually, I’d even prefer to know if they reach the 2FA form and don’t try to complete the challenge. Because if I want to log in, I go all the way, and I don’t abandon between password and 2FA.

Check the ACL!

I just shot myself in the foot using Access Control Lists.

# ls -l ./somefile.txt
-rw-r-----+  1 root  www  893  Apr 4 00:44 ./somefile.txt
# getfacl ./somefile.txt
user::rw-
user:www:--x  # effective: ---
group::r-x    # effective: r--
mask::r--
other::---

In the above example, the file inherited the default ACL from the parent directory.

I’m not even going to tell you how long it took me to figure out why the web server couldn’t access the file…

If you can’t find it: check those ACL!

And if you want to drive your colleague crazy:

# setfacl -m u:george:--- /some/random/commonly/used/file

PF cheatsheet

Cheatsheet for the PF firewall (*BSD, macOS/iOS, Solaris, QNX/BlackBerry).

Read More

Reprocess mbox file

Say you’ve found an mbox file somewhere, and you’d like Postfix to reprocess the messages it contains, to have them imported into your regular mailbox.

Then you may want to copy this script:

#!/usr/bin/env python3

# Script to reprocess an mbox file.

################################################################################
#
# Copyright (c) 2021 Rob LA LAU <https://www.ohreally.nl/>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
################################################################################

import mailbox, os, subprocess, sys

if len(sys.argv) < 3:
	print('Usage:')
	print('  %s recipient@example.com /path/to/mbox/file' % sys.argv[0])
	sys.exit(1)

recipient = sys.argv[1]
mbox = sys.argv[2]
if not os.access(mbox, os.R_OK):
	print('mbox file is not accessible')
	sys.exit(1)

for message in mailbox.mbox(mbox):
	proc = subprocess.Popen(
		['sendmail', '-i', recipient],
		stdin = subprocess.PIPE,
		text = True
	)
	proc.communicate(message.as_string())

Save that script as ~/bin/resend_mbox.py, make it executable, and execute it as follows:

# ~/bin/resend_mbox.py george@example.com /var/mail/root

Obviously, you replace george@example.com with your own email address (don’t spam poor George, please), and /var/mail/root with the path to your mbox file.

JWPlayer errors

Error Code 224002: This video file cannot be played

Error Code 224003: This video file cannot be played

Error Code 232011: This video file cannot be played

A few of the more common web video player errors, but they tell you nothing.

If you search the internet for these errors, all you find are generic bullshit ‘solutions’: clear cache, disable all extensions, disable hardware acceleration, etc. So, here’s the actual list of JWPlayer error codes: Player errors reference. Get you some real answers.

By the way, the meaning of the above errors:

• Failed to decode the associated resource (224002),
• Failed to play the associated resource because it is not supported by this browser (224003), and
• A manifest request was made without proper crossdomain credentials (232011)
  (The manifest is a file that contains the URLs for the various segments that make up the entire video.)

What it comes down to, is that JWPlayer just sucks a lot, especially if you use a proxy. Let’s hope that with the growing acceptance of HTML5, with built-in video support, projects like this will go the same way Flash players did.

Counting annotations in a PDF

Suppose that you wrote a book, and your publisher sent you a PDF of the final proof to review and correct, before the book is printed. Then you may want to know how many notes you’ve added to the document when you’re done.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot /Rect \[[0-9\. ]+\] /Subtype /Text' | wc -l

It’s that simple…

And if you’d like to know how many terms you highlighted, all you have to do is replace /Text with /Highlight.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot /Rect \[[0-9\. ]+\] /Subtype /Highlight' | wc -l

Inline notes are of subtype /FreeText.

And to count all your annotations, regardless of type, just delete the subtype altogether.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot' | wc -l

Open your PDF in less to see what other interesting things you could do with grep; pipe the file through tr to get rid of the control characters.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | less