Picture of Jürgen Kreileder

New-Style Last.fm Scrobbler for Ubuntu Oneiric

My last.fm plug-in for Rhythmbox is now available for Ubuntu 11.10 (Oneiric Ocelot).

You can get the packages by running the following commands in a terminal:

$ sudo add-apt-repository \
    'http://blog.blackdown.de/static/debian/rhythmbox/ main'
$ wget https://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install rhythmbox rhythmbox-plugins lastfm

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also note that my plug-in requires the lastfm client to work correctly.

If you are using Ubuntu Unity and you are missing the last.fm client’s systray icon, then take a look at Whitelisting the Last.fm Tray Icon in Ubuntu Unity.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

OS X Applications Insecurely Installing World-Writable Files

Files, directories, and devices that are writable by any user (“world-writable”) on a multi-user system can be dangerous locally exploitable security holes. There are very few legitimate reasons for having world-writable files and directories on a system.

Many UNIX and Linux systems actually have cron jobs that check for world-writable files. On Apple’s OS X there is no such safeguard and many vendors do not seem to care about file permissions much at all. Several well-known applications are either installed with world-writable files or create them when used:

World-writable files in system directories

The following applications install world-writable files in shared directories (/Applications, /Library, …):

  • Adobe CS 4, CS 5: Some uninstallers + several files and directories in /Library/Application Support + various stuff in other locations
  • Adobe Media Player: directory + some files in Contents/Resources
  • Adobe Flash Player: directories (including AddIns und AddIns/airappinstaller)
  • Amazon MP3 Downloader: some directories
  • EPSON (Scan, TWAIN data source, Easy Photo Print, …): pretty much everything, including executables
  • Eye-One Match 3: complete app, including executable
  • eMusic Download Manager: complete app, including executable and JavaScript (the application is based on Mozilla)
  • Telltale games: complete apps including executable and libraries
  • Apple OS X: some plist and cache files, including at least one LaunchDaemon plist file
  • Google+Growl Utility (not a Google product): whole app including executable
  • HP Scan Pro (plus supporting files): everything including executables
  • DivX Converter: resource files
  • Apple Remote Desktop: some plist files
  • Apple GarageBand: several plist and data files
  • Apple ColorSync: some profiles
  • Microsoft Office 2011: directory in /Library Application Support
  • Elgato EyeTV: several plist files
  • ABBYY FineReader Sprint 8.0: several data files
  • ArcSoft (Connect Suite, MediaImpression 2): all files, including executables
  • Extensis Suitcase Fusion 2: all files, including executables

World-writable files in user directories

The following applications install world-writable files in user directories (/Users/$USER):

  • GoogleGrowl.plugin: whole plugin including executable
  • 3rd-party extensions for Apple Safari: some extensions (e.g. AdBlock) install world-writable files
  • Apple iPhoto: the whole library seems to be world-writable
  • Adium add-ons: several add-ons install world-writable files
  • eMusic Download Manager:some preferences files are world-writable
  • Adobe (CS 4, CS5, Flash, …): several preferences files
  • Apple MobileDevice: crash logs are world-writable

The lists have been compiled by inspecting my own systems and those of several friends by running

sudo sh -c \
  "find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print0 | \
   xargs -0 ls -dl 2>&1 | \
   tee world-writable-files.txt"

and analyzing the output.

Note that running Disk Utility‘s “Repair Disk Permissions” does not have any influence on the issues described here.

Most OS X installations are probably single-user systems in reality but the situation is still somewhat ugly.

New-Style Last.fm Scrobbler for Ubuntu Natty

My last.fm plug-in for Rhythmbox is now available for Ubuntu 11.04 (Natty Narwhal).

You can get the packages by running the following commands in a terminal:

$ sudo add-apt-repository \
    'http://blog.blackdown.de/static/debian/rhythmbox/ main'
$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -
$ sudo aptitude update
$ sudo aptitude install rhythmbox rhythmbox-plugins lastfm

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also note that my plug-in requires the lastfm client to work correctly.

If you are using Ubuntu Unity and you are missing the last.fm client’s systray icon, then take a look at Whitelisting the Last.fm Tray Icon in Ubuntu Unity.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

Whitelisting the Last.fm Tray Icon in Ubuntu Unity

While the rhythmbox packages with my scrobbler plug-in for Ubuntu Natty are building, here’s a short tip on how to get the last.fm client to show up in the system tray with Ubuntu Unity.

Run the following command in a terminal:

$ gsettings set com.canonical.Unity.Panel systray-whitelist \
    "$(gsettings get com.canonical.Unity.Panel systray-whitelist | \
       sed -e "s:\[:\['Last.fm' ,:")"

After logging out and back in, the last.fm client will show up in the systray again.

Facebook Chat Via XMPP Finally Supports TLS

Looks like Facebook silently introduced encryption for chats in XMPP/Jabber clients (Pidgin, Adium, etc.): Its servers now support the use of TLS as defined in RFC 3920.

Facebook’s FAQs (1, 2) have not been updated accordingly yet.