GNOME Screensaver

I mentioned two posts ago that I had remaining issues with my Linux laptop around firewalld and the lock screen.  The last post covered firewalld, and this one will cover the lock screen.

When I close my laptop lid I like the machine to suspend.  This is controlled in Fedora 23 by /etc/systemd/logind.conf, with the line “HandleLidSwitch=suspend”, which is the default.  However, if the last focus was on my browsing VM (as it often is) the machine would wake up to a completely logged in desktop due to VirtualBox conflicting with gnome-screensaver.  Not good!

The specific error the GNOME desktop reports in the system log is:

gnome-shell.desktop[2189]: Gjs-Message: JS LOG: error: Unable to lock: Lock was blocked by an application

I am sure that there are really good reasons to let VirtualBox block the screensaver.  The most obvious being if the machine can’t detect that it has handed control to virtualbox and starts up the screen saver despite current activity in the VM.  It could also be that there is some resource contention around grabbing control of the keyboard/mouse when some other app has that full control.  However, all of this should go out the window when the laptop goes to sleep.  Whatever the reason, it is horrible and downright unacceptable for security.

After poking around a bit I found that this had been reported previously to the developers, but it was closed with a WONTFIX and a developer statement that “there is nothing we can do about it”:

Awesome, so everyone in their right mind should stop using GNOME forever for security reasons, right?

Not quite.  After some poking around (man systemd-sleep) I found that all executables stored in /usr/lib/systemd/system-sleep will be executed when the machine is put to sleep.  There are a couple options for what can be done here:

  1. wmctrl – this is a handy cli tool which lists the currently open windows and lets you change the focus.
  2. xlock – other screensavers are not as *cough* unable to do anything about it as the GNOME project.

While using xlock was very easy (sleep a couple of seconds to let gnome fail, then run xlock & as a user), but it gives a truly 1995 feel to the lock screen which is completely inconsistent with the rest of the UI.

Instead I wrote a much more complicated shell script around wmctrl and put it in /usr/lib/systemd/system-sleep/lock


# have to grab the newest gnome-session so we don't grab gdm's d-bus session information by mistake
gsPid="`pgrep -n gnome-session | egrep '^[0-9]+$'`"
if [ -z "$gsPid" ]
 echo "gnome-session does not appear to be running" 1>&2
 exit 1

export DISPLAY=:0
export DBUS_SESSION_BUS_ADDRESS="`grep -z ^DBUS_SESSION_BUS_ADDRESS= /proc/${gsPid}/environ | cut -f2- -d=`"

desktopUser="`id -nu \"\`egrep '^[0-9]+$' /proc/${gsPid}/loginuid\`\"`"

running="`/usr/bin/sudo -E -u $desktopUser -- /usr/bin/gnome-screensaver-command --query 2>&1 | awk '{print $4}'`"

# skip everything if the screensaver is already running
if [ "$running" == "inactive" ]
 newfocus="`/usr/bin/sudo -E -u $desktopUser -- /usr/bin/wmctrl -l 2>&1 | /usr/bin/grep -v VirtualBox | /usr/bin/head -n1 | /usr/bin/cut -f5 -d\ `"
 if [ -n "$newfocus" ]
 # change window focus to a non-virtualbox window
 /usr/bin/sudo -E -u $desktopUser -- /usr/bin/wmctrl -a "$newfocus" 2>&1
 # we have no windows open that aren't virtualbox, expose the desktop instead
 /usr/bin/sudo -E -u $desktopUser -- /usr/bin/wmctrl -k on 2>&1
 # lock the screen
 /usr/bin/sudo -E -u $desktopUser -- /usr/bin/gnome-screensaver-command --lock 2>&1

I suppose complicated is an exaggeration.  It’s a horrible horrible hack though.  For the security minded, I did attempt to validate input, quote its use, and separate it from command arguments.  The window name can still contain arbitrary characters, but with how I’m passing the variable to sudo I’m comfortable with the risk on my local laptop.

Come on GNOME…  xlock can do it just fine, let’s be a little inventive and solve it properly.

At least my laptop will lock properly in the meantime.


As a follow-up to my last post on the Linux desktop I thought I would write more about the firewall interface firewalld.

First I will share the good, it has a “panic mode” which blocks all network traffic in all directions.  Pretty funny.

$ sudo firewall-cmd --panic-on

Now the bad..  you essentially can’t tell what it’s doing.

I want a firewall that drops all packets inbound unless they are in response to an outbound packet, and logs the drop.

So I can take a look at the default firewall that Fedora ships with:

$ firewall-cmd --zone=FedoraWorkstation --list-all
 services: dhcpv6-client samba-client ssh
 ports: 1025-65535/udp 1025-65535/tcp
 masquerade: no
 rich rules:

Is this default deny? Drop or reject? Any logging? Using iptables to print out the current rules (and nmap to confirm) shows that it is inserting a reject as the last rule in the INPUT chain. Great, how do we change that to a drop and log? Of course, none of the settings firewalld can modify directly for this zone will change it. It offers an odd interface to the chains directly (–direct) for additional rules, but not a way to modify what it writes.

There are a number of decent documents that outline how to use firewalld within its limitations, this being one of the better:

This article outlines that the zone “drop” will drop all inbound that isn’t part of a tracked connection. Funny that the man pages mention none of this, and the tool output doesn’t differentiate “drop” in any way with “block”.  Also, there is no user-friendly way to enable logging of dropped packets.

$ sudo firewall-cmd --set-default-zone=drop

So in the goal of improving user friendliness, Linux again is hurting functionality and configurability.  Ugh.  Of course, you can still switch it all back to the iptables way of functioning if you like.  At this point, I’d highly recommend it.

Linux Desktop

A few months ago I was working on learning more about wireless security and I found that MacOS just wasn’t cutting it compared to how all of the tools worked in Linux.  As one of my co-workers pointed out, there was always the option of an external USB antenna and mapping that through to Linux VM.  However, I really wanted to refresh myself on Linux more deeply and I knew a VM wasn’t going to do that.  Also, I didn’t own a laptop, and the idea of picking one up that didn’t include the “Apple Tax” was pretty appealing.

So I went out and bought an ASUS Zenbook UX305FA (I paid $690), and I’ve been very happy with it.  After quite a bit of playing, I’ve finalized on Fedora as my desktop distribution of choice and GNOME 3 as my desktop environment.  I’ve setup a separate VM with only a browser (fedora minimal install+x11+openbox), which virtualbox displays pretty nicely with seamless mode.

Overall it works pretty well.

BUT…  and I have to say it’s a big but, the Linux desktop environment really hasn’t progressed since the late 90s in terms of user experience.  I ran AfterStep and Enlightenment in Linux in the ’90s, and I remember using fvwm/blackbox for shorter periods.  I booted to console, typed startx, and my .xinitrc ran my desktop items.  Right about the time I switched to FreeBSD as my primary desktop, this new fangled thing called GNOME came out.  Rather than every config change being editing a text file it came with integrated settings panels, it had native apps, and it aimed to be more than just a window manager.  It was pretty impressive for an open source project, and I was excited to see how it would compete with Windows and MacOS over the years.  Except.. it didn’t.

Honestly, as I’ve configured things in GNOME recently, it is not only stalled on features from the ’90s, but it has managed to become more difficult to configure.  Now of course, I know it really hasn’t stalled on features, but take the basic configurability of the environment from a user perspective and it really feels like it.

One of the most obnoxious examples is the gnome-keyring.  Now I’m very familiar with the MacOS keychain.  One of the features it provides is auto-reading in SSH keys from ~/.ssh and setting SSH_AUTH_SOCK for OpenSSH to know it is acting as your ssh agent.  Each time I reboot the Macs I use, I go to a terminal window and type ‘ssh-add’, enter my obnoxiously long passphrases, and the keychain can now use those keys for ssh until the next reboot.  I was pretty excited to see that gnome-keyring would do the same thing!  Except it won’t.  My keys are not using default settings/types for creation, which apparently makes gnome-keyring fail to function.  It does not fail to load the keys and try to act as an ssh agent, it just fails to present the keys for auth.  Great, so I’ll just disable it and go back to .bashrc ssh-agent methods, right?  Not so fast.

First, we’re in a UI environment, but there is no setting for it in the UI..  No problem, there must be a simple script/setting where I can just comment out gnome-keyring, right?  HAH!  Not really..  The final solution was taking /etc/xdg/autostart/gnome-keyring-ssh.desktop file and copying it to ~/.config/autostart, then adding the line X-GNOME-Autostart-enabled=false

Of course, that’s actually not that complicated, but the problem I have is with how it just isn’t intuitive.  The Linux desktop and GNOME really isn’t that advanced.  Why is that not a more simple thing presented to the user?  Also, when searching the Internet for the answer, you’ll realize that with many revisions of GNOME and many distributions of Linux, there is 100 different ways people have solved this problem, many of them correct in their own little splintered world of Linux+GNOME.  My favorite was the guy who wrote a daemon that sent SIGKILL to gnome-keyring if it ever started, because he gave up figuring out how it autostarted.  A solid example of how badly documented and inconsistent this all is.

Clearly user-friendly is not a priority for the GNOME project and the Linux desktop.  Maybe in another 15 years they’ll get there.

A few other quirks of note.

  • I had to disable secure boot to load the virtualbox kernel modules with a kernel patched to current – this makes me unhappy
  • Nothing on shows as supported with the current version of GNOME, but Fedora has rpms for a few of the extensions to make up for some of it
  • The screen brightness keyboard buttons on this machine (fn+F5/F6) don’t work, so I mapped windows key+F5/F6 to xbacklight -inc/dec 10.  This is the only unsupported item I’ve found for this hardware
  • Audio is very quiet at max, so I installed pavucontrol which supports going to 153% what the default ALSA mixer does

In any case, I have a Linux desktop that seems to be working pretty well now.  I have a kali and remnux VM setup, and the seamless mode browser VM.  Everything on disk is encrypted, and I’ve locked down the rest pretty well.

My only outstanding items to fix are:

  • when focus is on a VM the gnome-screensaver will sometimes be blocked from locking the screen, so even when resuming from sleep the machine may be unlocked
  • firewalld.  This seems to be regression of capability from the iptables CLI, but I’m giving it a chance and reading all the documentation before I rant too much

I’m sure in a few upgrades I’ll have to re-do half of this, because..  Linux.


network music storage and macos annoyances

For a long time I’ve kept my music on a network accessible drive in the house.  I started to do this because I had multiple computers I actively used and wanted to access it in a central location.  The FreeBSD machine served up NFS and SMB to the machines that needed it, and it worked fine.

Eventually I got a couple Squeezeboxes and needed it to stay on that server so I had place to run the server for playing music.  I even wrote a perl script that used MP3::Info to confirm various "minimum requirements" for quality in the music I stored, and even confirmed that the ID3 tags matched the filenames and directory structures.

More recently I decided that managing album art, ID3 tags, and synching the music quickly and reliably meant switching to iTunes.  BUT, I had no desire to switch away from the network share method.  This is because I still needed to host the music for the Squeezeboxes.  I have a 500GB drive hooked up to my iBook G4 that serves as my backup server (Time Machine / rsync depending on OS), so I just added a partition to that for the music and set it all up.

Things worked absolutely great.  Sure, I noticed some delay in big updates in the music or apps on my iPhone, but they were relatively minor in the scheme of things.  

I did have some problems with my laptop going to sleep though.  Sometimes my MacBook would wake up from sleep and forget the network share.  This meant a minor inconvenience of telling iTunes where to find its folders, and by navigating to the right location, remounting the drive.  It’s even pretty easy to create an alias to the mount point on your desktop and just double click on it to re-mount the share.  I wish MacOS would handle that better, but it was life..

That is.. except when I was actually running iTunes and I put my laptop to sleep.  iTunes would crash when it realized it had lost its data.  Not only would it crash, but it would spin out of control, eating massive amounts of CPU and make it a pain in the butt to even kill off.

I was finally able to solve the problem tonight.

First, I installed SleepWatcher from  – this application allows for the execution of commands from the cli on sleep or wake up from sleep.

I installed both the daemon and the startup package and rebooted my machine (needed to do some software updates anyways).

Next, I copied some basic scripting from this (mostly) unrelated blog entry;

and came up with;


function doMounts {
  mnt_cnt=$(/sbin/mount | grep -ic "/Volumes/$vol")
  if [ $mnt_cnt -le 0 ]; then
    /usr/bin/osascript <<EOT
    tell application "Finder" to mount volume "afp://myiBookG4/$vol"

for (( i=0; $i < 12; i++ ))
  doMounts iTunes\ Library
  sleep 5

exit 0

Since it will sometimes take the OS a few seconds to realize it has lost the share, or even more to reinitialize all the hardware if it actually hibernated, I told it to look to see if the mount was there on a 5 second interval for a minute.

I’ve tested it a few times, and it re-mounts the network share with great reliability..  Hopefully this solves all the annoyances above.

Now.. Apple.. I shouldn’t have to do this.  Please fix it!

useful applescript

I’ve been hooking up my MacBook to the setup (mouse/keyboard/lcd) usually connected to a Windows machine over the last few days.  It works great except for the reversed Command + Option on the keyboard mappings.  I googled for something eloquent and found this;  Unfortunately whenever he did that it is outdated now.  I updated it for Leopard, and I can now just use Spotlight to execute "Change Keyboard" as I saved it as an Application to my Applications folder with that name.  Here is the updated version;


tell application "System Preferences"
    set current pane to pane ""
end tell

tell application "System Events"
    get properties
    tell application process "System Preferences"
        click button "Modifier Keys…" of tab group 1 of window "Keyboard & Mouse"
        set commandKey to value of pop up button 1 of sheet 1 of window "Keyboard & Mouse"
        — DEBUG
        — display dialog commandKey
        —  Default, lets flip
        if commandKey ends with "Command" then
            — click the pop up button menu "Option", this menu does not exist until it is clicked in the GUI
            click pop up button 2 of sheet 1 of window "Keyboard & Mouse"
            — click "Command" of the pop up menu
            click menu item 4 of menu 1 of pop up button 2 of sheet 1 of window "Keyboard & Mouse"
            — delay briefly
            delay 1
            — click the pop up button menu "Command", this menu does not exist until it is clicked in the GUI
            click pop up button 1 of sheet 1 of window "Keyboard & Mouse"
            — click "Option" of the pop up menu
            click menu item 3 of menu 1 of pop up button 1 of sheet 1 of window "Keyboard & Mouse"
            — delay again
            delay 1
            — Not Default, lets flip it back
            click button "Restore Defaults" of sheet 1 of window "Keyboard & Mouse"
        end if
        — click "OK" to dismiss the sheet
        click button "OK" of sheet 1 of window "Keyboard & Mouse"
    end tell
end tell

tell application "System Preferences" to quit

more video for fun and profit

Well, I read more, and I played more.

First, the original video I posted sucked.  I couldn’t figure out why iMovie HD was degrading the video for the life of me.  I tried every encoding setup known to man, but just couldn’t figure it out.  Finally I realized that when I had originally hit "Create a New Project", I had selected to save it in MPEG, instead of DV.  This meant I was starting with already compressed video from the beginning!  I realized it when I had finally posted the first project all over the web and started to work on another video.

So.. I started over the first one with DV, re-did all the editing, re-exported, and it was the same as the original AVI quality.  Woohoo!  Next I spent a few hours scouring the web for what h.264 bitrates should be used to represent standard definition (480p) and high definition (1080p) video.  I’ve come to the conclusion that there is no clear direction amongst the world.  However, I have to make some decision, so my belief based on reading is that 2mbps for 480p and 8mbps for 1080p are appropriate with h.264.  Since those reference average bit rates, I will set the QT encoding to a max bit rate of 2.5mbps for 480p and 10mbps for 1080p.

My logic for the audio is pretty similar since I do all my MP3s in 192kbit VBR, and the AAC is set to 224kbit.  If I ever end up with video taken with a better audio feed than a basic handheld camcorder/camera, I’ll have to return and play with that part more.