No Comments

Permitting a device to join Zigbee2MQTT in Home Assistant temporarily

{}
June 28th, 2023

The config setting for letting a new device join the Zigbee network is found in Zigbee2MQTT”s configuration.yaml

For security reasons it’s important that permit_join: is set to falseOtherwise rogue devices are able to join allowing them to send and receive Zigbee traffic.

When you want to add a new device editing this setting manually in the config file is a hassle.

Luckily you can issue this CLI command from any connected computer on the LAN to open the network temporarily:

mosquitto_pub -h <hostname> -t zigbee2mqtt/bridge/request/permit_join -m ‘{“value”: true, “time”: 20}’

This will open the network for 20 seconds, enough time to add your device, and when the 20 seconds have passed the network is secure again.

Just keep an eye that no additional rogue devices are added.

No Comments

Adding HTML from a string the safe way

April 14th, 2023

Adding HTML from a string isn’t difficult. Something like this works amazingly:

name="John"
html = `<div>Hello <b>${name}</b>,
<p>Welcome on this lovely day</p>
</div>`
document.body.innerHTML=html;

It’s easy and it’s fast, but it is not safe!

Copy and paste above code in your browser console and execute it. It will remove all content, and show the new html.

Let’s assume you get the name from an external resource or user input, instead of John it could be something like `<img src=”z” onerror=”alert(‘Your f*cked’)”`

name=`<img src="z" onerror="alert('Your f*cked')"`
html = `<div>Hello <b>${name}</b>,
<p>Welcome on this lovely day</p>
</div>`
document.body.innerHTML=html;

Copy and paste above code in your browser console and execute it.

It will execute the JavaScript code in the onerror attribute and show an alert. This demo is harmless, but innerHTML is a security hole, that opens the way to severe security risks.

innerHTML is not safe!

But help is on the way, a setHTML function, that can be tweaked by a sanitizer function.

How to use the new and secure way of adding HTML from a string

The syntax for the new function is

setHTML(input, options)

So this will work:

name=`<img src="z" onerror="alert('Your f*cked')"`
html = `<div>Hello <b>${name}</b>,
<p>Welcome on this lovely day</p>
</div>`
document.body.setHTML(html);

Keep in mind innerHTML is a property, and setHTML is an function.

setHTML is working in Chromium and Firefox, although in Firefox it’s behind a config setting. AFAIK it’s still considered experimental. To change it open about:config and toggle the preference to tru

dom.security.setHTML.enabled

Can’t wait until this is shipped as stable.

Somehow the documentation is wrong, it’s not the dom.security.sanitizer.enabled preference , but the `dom.security.setHTML.enabled` that should bet toggled.

The sanitizer preference is for the new Sanitizer() object that can be passed as an option

const attribute_sanitizer =new Sanitizer ( {allowAttributes: {"style": ["div"]}})
document.body.setHTML(unsanitized_string,{sanitizer: attribute_sanitizer}) 

That way you can tweak the elements that you want to be sanitized. Like dropping specified elements, attributes, or comments. Also very useful.

But the default is working fine in Firefox.

No Comments

Using an external AOC touchscreen on Ubuntu

{,}
March 1st, 2023

TL;DR

Using an external portable AOC 16T2 monitor as a secondary screen works well on a Ubuntu laptop, but it needs a bit of tweaking.

xinput map-to-output 14 HDMI-A-0

Connecting a touchscreen to an Ubuntu Laptop

One of the first things you’ll do when connecting an USB device, getting info about the device. Is it recognized? Issue an lsusb before and after connecting the device and watch the difference. In this case:

Check connected USB-devices in Linux

lsusb
Bus 001 Device 011: ID 1fd2:9004 Melfas LGDisplay Incell Touch

So Ubuntu does recognize the AOC 16T2 monitor as a touch-device.

For that of course an USB-C (3.0) display cable is necessary, touch information is not transferred over an HDMI cable, in that case you’ll need another USB-C cable, a USB-C 2.0 version is sufficiant.

Another check if the screen is recognized as a touchscreen, issue the xinput command, before and after

Check input devices in Linux

xinput
Melfas LGDisplay Incell Touch id=14 [slave pointer (2)]

Check connected screens in Linux

To check screen use xrandr.

xrandr
HDMI-A-0 connected

Using a touchscreen on Ubuntu, and using a touchpad at the same time causes some confusion. At the moment you use the touchscreen your mouse disappears. That does make some sense, otherwise you feel urged to move the mouse, which is of course not needed on a touchscreen.

Tip: enable locate pointer when using touchscreen

Enable the locate pointer settting in the accessibilty settings, helps you to find you’re invisible mouse. Press CTRL and you can find your mouse-position again.

Once you’re used to that, an external touchscreen works rather strange out of the box, when you’re using join display, extended desktop as a default for attaching an external monitor, which is wanted in most cases.

Strange default in Ubuntu using secondary touchscreen.

Visual the desktop is extended, but for touch-input it is not. SO the visual-desktop is different than the (touch) input-desktop. That means when you click on the second monitor, the gesture is interpreted like you touch on the first monitor.

 

 

And I tried but this cannot be solved by changing the order of screens in the display-setting, moving the external monitor to the left.

To get it working you’ll need to issue a command in the terminal.

Making a external touchscreen working in Ubuntu

To map the touch.input-desktop to the visual-desktop:

xinput map-to-output 14 HDMI-A-0

This will map the touch-desktop to the secondary AOC touchscreen.

You do wonder why this is not the default in Ubuntu. I’m not sure, maybe it was in earlier days.

But this is not working in Wayland

And there is a bigger problem. This solution works only in X11 window server, not in the new Wayland environment, which is the default nowadays in nearly all modern Linux desktop, including Ubuntu 22.04 LTS.

As it seems xinput does not find your touchscreen annymore, so no mapping can be done.

Wayland does recognize the touchscreen, there is no option yet to map  it to the right screen.

That is plain stupid a pity.

So that means you have to logout/login and switch to X11 to use your external touchscreen.

Hopefully this will fixed soon.

No Comments

How to make dmarc-cat read compressed DMARCS reports

February 16th, 2023

Dmarc reports are send as attachments by several email-services.

DMARC reports are in the XML format, so of course the reports are compressed before sending.

For example, OUTLOOK is sending them as gzip compressed:

protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.gz

Other email-servers are sending zipped attachments.

Once the report are saved dmarc-cat seems to be able to decompress .zip reports on the fly, but it fails on gz files.

So this works:

dmrac-cat protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml
dmrac-cat protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.zip

But this fails:

dmrac-cat protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.gz

How to make dmarc-cat parse gz dmarc reports?

There is a poorly documented -t switch


dmarc-cat -h

Usage of dmarc-cat:
-D Debug mode
-N Do not resolve IPs
-S string
Sort results (default "\"Count\" \"dsc\"")
-j int
Parallel jobs (default 12)
-t string
File type for stdin mode
-v Verbose mode
-version
Display version

It’s a bit unclear how it should work, but this will do the trick:

dmrac-cat -t .gz protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.gz

And it also miraculously parses zip files, so this works also:

dmrac-cat -t .gz protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.zip

Add dmarc-cat as an alias for dmarc-cat -t .gz

So just add dmarc-cat as an alias in dmrac-cat -t .gz to .bash_aliases and your good to go:

echo "alias dmarc-cat='dmarc-cat -t .gz'" >> ~/.bash_aliases

This will save you some keystrokes the rest of you life!

dmrac-cat protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.gz
dmrac-cat protection.outlook.com!<domain>!<timestamp-start>!<timestamp-end>.xml.zip
No Comments

Trouble updating some packages in Ubuntu 22.04, because they are kept back

{,}
January 17th, 2023

Maybe you have seen this message more often then before, while updating your computer manually through the terminal:

The following packages have been kept back:
<package-name>
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Historically that could be the case with the classic commands

sudo apt update && sudo apt upgrade

Because that command is careful (doesn’t update) about packages that can introduce dependency conflicts

But that update command has been superseded by

sudo apt update && sudo apt full-upgrade -y

The latter commands also remove packages to resolve dependency conflicts, and in most cases that is everything you want.

But now upgraded to Ubuntu 22.04 I see the kept back message more and more, even when I did a sudo apt update && sudo apt full-upgrade -y

And as it seems, that is absolutely OK, it’s part of the new phased roll-out mechanism. Packages that can break things are introduced in batches. First only a small percentage of users are getting the new version, so if there are bugs, only a small number of people are hit, and the bugs can be fixed before it is introduced on a bigger scale.

How to check if packages are `phased`

apt-cache policy <package-name>

e.g. gnome-remote-desktop

apt-cache policy gnome-remote-desktop 
gnome-remote-desktop:
Installed: 42.4-0ubuntu1
Candidate: 42.7-0ubuntu1
Version table:
42.7-0ubuntu1 500 (phased 0%)
500 http://nl.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
*** 42.4-0ubuntu1 100
100 /var/lib/dpkg/status
42.0-4ubuntu1 500
500 http://nl.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Just be a little patient. The update will normally come in a few days.

1 Comment

Find the total size of certain files within a directory tree before deleting them

{,,}
January 13th, 2023

Normally I use find, as it is installed by default on any Linux computer or server or terminal I worked with, but lately on my desktop I start using `fdfind` more and more.

Why? Its faster and easier to work with than find.

I really like the user-friendly syntax of `fd` AKA `fd-find` or `fdfind` compared to the classic `find` command.

In Ubuntu the program is installed with `sudo apt install fd-find` and executed as `fdfind`

`fd` uses a regex as the standard search pattern.

Time for some examples.

To find all files in a directory tree that have jpg in their name

Very intuitive and concise.

fdfind jpg

To find all jpg files (extension jpg) in a directory tree

Think I need all files with [e]xtension jpg, the command is again very intuitive:

fdfind -e jpg

To delete all jpg files in a directory tree

Think I need all files with [e]xtension jpg then e[x]ecute a command to delete them [rm], the command is very intuitive:

As the normal delete command in bash is `rm`

fdfind -e jpg -x rm

That’s all.

Another interesting thing to know, what disk-space I’m gonna win by deleting all jpg files.

Find the total size of jpg files within a directory tree (wrongly)

Think: I need all files, and then calculate the filespace of all files.

The normal command of getting a total size of several files is use `du -ch *.jpg` This will list of files and Count a total on the last line. To get just the last line. pipe it to tail, to gets just the last line.

du -ch *.jpg |  tail -1

But du doesn’t work recursive in subdirectory. You can use a trick with globstar, but much easier is it to combine with fd, so you would come to something like this.

fdfind -e jpg -x du -ch | tail -1

But that doesn’t work right, it seems to computes totals for every file, and just show to size of the last result.

Find the total size of jpg files within a directory tree (correctly)

We need the `-X` option here the `execute-batch` command, that runs the command only once on all search results as arguments

fdfind -e jpg -X du -ch | tail -1

Find correctly find the total size of jpg files in a directory and the first level of subdirectories

And with `fdfind` command it’s easy to control Depth, just add a -d option. This will only search in the main and the first subdirectory level.

fdfind -d 2 -e jpg -X du -ch | tail -1

And now you ask yourself. Can I find the size of all jpg files in the third level of subdirectories.

Of course! And easier than you think

Find the total size of jpg files in the third level of subdirectories depth

fdfind --min-depth 4 --max-depth 4 -e jpg -X du -ch | tail -1

See more:

https://github.com/sharkdp/fd