=^.^=

Non-Superuser Write to VFAT

karma

FAT32 (vfat) does not recognise conventional linux permissions; granting the ability to write must be done at the time of mounting. Generally the appropriate permissions are applied when mounting a vfat volume through an autoconfiguring GUI utility (i.e file manager) but if you are quickly trying to copy files to or from an sd card, memory stick, etc. from the command line you have two options aside from doing everything as root (and reloading your X file manager as such, for example): create a (semi-)permanent entry in /etc/fstab with the user or users option (see the fstab man page for more information) and use the mount command as that user or mount the volume assigning ownership with mount options on the CLI:
mount /dev/vfat_partition_node /mnt/mountpoint -o uid=1000[,gid=1000]

Replace 1000 with the UID of the user you wish to give full ownership of the filesystem contents to and, optionally, the GID of the group you would like to assign ownership to. Other options like umask can modify permissions globally at mount, check the man page for more details.

Qubes Cheat Sheet: Cribbing POWER9's Hardware Compatibility List

karma

With all credit due to poster Justin at the Qubes User Forum for this stroke of genius in Recommended USB cards for Qubes?:

I have found PCie device selection for QubesOS quite complicated.

My shortcut was to use the stringent POWER9 PCIe hardware requirements to identify prospective PCIe Devices

RCS Wiki: POWER9 Hardware Compatibility List/PCIe Devices

Permanently Disable Antimalware Service Executable (MsMpEng.exe) Causing High CPU Load

karma

Most high PageRank(tm)ing articles regarding Antimalware Service Executable gobbling your precious CPU cycles encourage you not to try to disable Microsoft Defender Antivirus (née Windows Defender) at all - the suite responsible for this process. That's excellent advice for common folk but you're an evil genius that insists your underpowered Atom subnotebook or your sorely overallocated Windows virtual machines are usable at the expense of the debatable protection this resource hog affords. Realtime antivirus protection is after all best suited for reckless random program-downloading drunks and freeware card game addicted grandmothers. You have the self control to only run trusted software, install only programs you set out to download and if you must test a shady .MSI-of-the-night you have the good sense to do it in a disposable VM.

As the Settings > Windows Security > Virus & threat protection settings > Manage settings > Real-time proection toggle correctly admonished you before you came looking for this: You can turn off this setting for a short time before it turns back on automatically. It's nice that Windows respects you as the owner of your own computer. Don't take this crap laying down! You always have options.

  1. Install a more efficient alternative Antivirus Provider
    Probably your safest option but not why you picked this search result.
  2. First Step: Disable Tamper Prevention
    Most of the following methods require you to first disable this security feature.
  3. Optional: Run as TrustedInstaller
    There's no telling what permissions problems we're going to run into and they can change from Windows Update to Update. Let's preempt the bother and take control of the system.
  4. Windows Home: Registry Edit
    The registry edit method worked for me on a fully updated installation of Windows 10 at the time of publishing but there are circumstances where it might be ignored.
  5. Windows Home: Autoruns64
    There is a GUI utility that might be the answer for you.
  6. All Other Versions: Group Policy Editor (gpedit.msc)
    The generally accepted method for politely and permanently disabling Defender is to use the Group Policy Editor found on Pro/Ultimate/etc. distributions but unfairly missing from unmodified Home installations.
  7. Windows Home: Installing Group Policy Editor (gpedit.msc)
    Microsoft wants you to pay for a few bits of code they already made which you can find laying around everywhere. Pinch it like a tea leaf; I won't tell if you won't tell! :)
  8. All Versions: LiveCD Filesystem Assault
    When all else fails we can just march on in and fsck its junk right up!

1. Installing an alternative Antivirus Provider

When a compatible third party antivirus/antimalware engine is detected to be running Defender will automatically deactivate. The idea here is if we can install an engine that is more modular and provides finer control over configuration we can engineer a situation that still provides some protection from malware but takes up less resources than Defender. A conventional blog post on malware defense would encourage you to configure Defender to scan alongside your alternative engine; I will take this opportunity to suggest that you go back to your Manage providers settings later and double check that Defender's Periodic Scanning option is still disabled (default) after installing your favourite third party scanner.

I'm not paid to recommend MalwareBytes (https://www.malwarebytes.com/) but I'm comfortable pushing it on you because of its long benevolent track record and consensus warm feelings from the security and privacy conscious. That being said I have not performed any benchmarks - neither casual nor diligent - that could give me any legitimate footing to claim this configuration is better than Defender alone. Consider it an exercise in exploring all the options; if security absolutely takes a back seat to performance in your situation feel free to skip ahead.

Be prepared to skip installing the optional free browser protection add-on as you sprint through the installer, on the assumption our main objective here is resource reclamation. Post-install you will be badgered to buy and forced to try Premium - which contains all the resource wrangling features you never wanted. Apologies in advance for the minor aggravation to be visited upon you at trial's end two weeks hence. Don't forget to use creative swearing in the following slide's Email field to show your appreciation for the inability to opt-out in advance.

While I think a monthly-or-so manual malware scan is good juju, even on machines you know you practice ninja-level browser hygiene with (browser 0dh3y, PDF links, psychopathic boyfriends' USB sticks, minor miracles - even herpes - sometimes happen to the very best of us) that's now your problem to forget. We're here to lock this crap down. Under the Real-Time Protection UI card un-toggle every option including but, if different, not limited to:

  • Web Protection
  • Ransomware Protection
  • Exploit Protection

You MUST leave Malware Protection enabled or Windows will not recognise a running AV engine and will not hand over the reigns from Defender.

By default a daily scan is configured to start tomorrow. Click the date in the Scanner UI card and either delete the scheduled task or modify it to suit your needs. If you choose to configure automated scanning you should probably leave automatic updates enabled in the following steps. Don't forget to click Advanced and check Scan for rootkits - I can not fathom why that's not enabled by default.

Now click the gear icon to open settings. Going through each tab, disable or change each option accordingly (again, use your judgement if the options have changed in the intervening time since this was published):

  • Automatically download and install updates (but don't forget to manually check for updates before every manual scan! leave enabled if you can't trust yourself or if you want your Realtime Protection to be as effective as possible. You're stuck with that much anyway, choose your preference accordingly.)
  • Notify me when a new version becomes available
  • Add Malwarebytes options to Windows Explorer (unless you'd like the option to quickly scan individual files from the Explorer shell; the performance hit from including the context menu items is in truth likely marginal. but we're serious about optimization right?! RACING STRIPES!! HARDCORE!!! \m/)
  • Change Manual scan performance impact to take less priority in case you end up needing to use the machine after starting a manual scan. one can not predict the future after all.
  • Usage and threat statistics - I have no evidence this will help but it could cut down some daemon's background chatter and what do they need to see your dirty files for anyway?
  • Alert me if any Real-Time Protection modules are turned off. *I* turned them off, I don't want to hear it whining!
  • Update threat intelligence
  • Windows startup
    • Advanced
      • Enable Self-protection module - I'm only mentioning this item because I think you should leave it enabled. The gains from disabling it can not outweigh its benefits.
  • Exploit Protection - This is another decision that warrants consideration.
  • !!!IMPORTANT!!! Change the Theme to Dark. Because you're a badass. Obviously.

2. Disable Tamper Prevention

Though I have only personally dealt with Tamper Prevention in single-device, single-user Windows 10 environments it can be managed a few different ways. The feature appears on Windows 11; Server v. 1803+; Server 2012 R2, 2016, 2019, and 2022. Therefore I shall at first defer to the official documentation:

...and proceed to plagiarize those portions I think you'll find useful:

Tamper Protection in Windows Security helps prevent malicious apps from changing important Microsoft Defender Antivirus settings, including real-time protection and cloud-delivered protection. If Tamper Protection is turned on and you're an administrator on your computer, you can still change these settings in the Windows Security app. However, other apps can't change these settings.

Tamper Protection doesn't affect how third-party antivirus apps work or how they register with Windows Security.

Tamper Protection is turned on by default. If you turn off Tamper Protection, you will see a yellow warning in the Windows Security app under Virus & threat protection.

Change the Tamper Protection setting on an individual device

  1. In the search box on the taskbar or after opening the windows menu, type Windows Security and then select Windows Security in the list of results.
  2. In Windows Security, select Virus & threat protection and then under Virus & threat protection settings, select Manage settings.
  3. Change the Tamper Protection setting to Off.

For instructions on managing Tamper Protection in multi-device environments, i.e. where Microsoft Endpoint Manager or Intune are being used to manage configurations across up to hundreds or thousands of devices and/or virtual machines in an organization or cloud automatically please see the Microsoft 365 Defender documentation to determine the best way to deploy your configuration changes with respect to your product ecosystem.

Use PowerShell to determine whether tamper protection and real-time protection are turned on

  1. Open the Windows PowerShell app.
  2. Use the Get-MpComputerStatus PowerShell cmdlet.
  3. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

In my experience, after implementing some of the following methods to disable Defender you will lose access to the Tamper Protection setting via the Windows Settings GUI unless and until you revert the modification. It's also possible to activate and deactivate Tamper Protection via the registry - but to do that we're going to need the big guns...

3. Run as TrustedInstaller

You may have a stronger constitution than me but the record of blog posts that Google has accumulated over the past two years regarding disabling Defender leaves my head spinning. It seems to be a story of constant changes in abilities, permissions and values. What works one month can't be relied on to work the next. Changes are announced, implemented, reverted in silence then phased back out again. Accordingly I should take this moment to be clear with you: by the time you read this page some of the instructions may not work. Registry keys might be deleted, renamed or removed altogether. Inherently esoteric DWORD values could change meaning without any notice. So if something isn't working for you please don't get frustrated or spend too much time fiddling on the assumption that you might have made a mistake - I recommend you go straight to Google and look up keywords relevant to whatever you're trying and visually filter for the most recently posted articles. A lot of initial confusion seems to have come from the simple fact that certain keys have different effects depending on special circumstances and until enough people have discovered and documented them false assumptions are all the easier to make and perpetuate.

Taking ownership of registry keys is messy and opening up permissions then walking away is poor form. Forget the registry - there are a lot of things we can do from the CLI I'd like to make note of but to keep track of and test what permissions are currently required to do what would be a waste of time when we can just escalate all the way to the top of the food chain and bulldoze onward.

There are a number of great tools that will let you start processes as any user you want but for our purposes these are my two favourite:

Process Hacker

Process Hacker is full of awesome functionality
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

RunAsTrustedInstaller

DD-WRT Post-Install Checklist

karma

DD-WRT comes out of the box with some questionable default settings. For example: a totally open default wifi network 'dd-wrt', default shell access via telnet when SSH is ready to go, no logging whatsoever which - despite demands on RAM - one might find useful during initial configuration at least...

After passing out during a router conversion and waking up to find an unexpected guest logged in I decided it wouldn't kill me to write and adhere to a post-installation checklist to make sure I don't miss anything in the future. I'll update this page as ideas come to me. Hit Apply Changes after each step.

  1. Disable WiFi until you have had time to implement a thoughtful configuration. Wireless > Basic Settings > Each Physical Interface change Wireless Network Mode to Disabled.
  2. Enable syslogd under Services > System Log. Bear in mind that logs will be collected in RAM unless you specify a remote syslogd server (ideal) or configure writable local storage. If neither of these suits you disable syslogd when you are finished dicking around but I will caution you that you may regret this decision one day.
  3. Configure the NTP Client under Setup > Basic Setup > Time Settings. Find your local pool at https://www.ntppool.org/en/. My settings are Canada/Eastern and ca.pool.ntp.org, although the NTP Pool Project advises:

    In most cases it's best to use pool.ntp.org to find an NTP server (or 0.pool.ntp.org, 1.pool.ntp.org, etc if you need multiple server names). The system will try finding the closest available servers for you.

    although I don't see how that could have less latency. Your call. Either way your syslogd entries will henceforth be a lot more meaningful.

  4. Disable Telnet and enable Secure Shell under services. It is strongly advisable to configure Authorized Keys and disable Password Login. It seems necessary to reboot the router after hitting apply to effect these changes.
  5. Under Administration > Web Access change Protocol to HTTPS and disable HTTP. Also disable Enable Info Site unless you are into that sort of masturbation. Note that you will have to update the URL in your browser once you apply changes.
  6. I like to enable Turning off radio under Services > SES / AOSS / EZ-SETUP / WPS Button so WiFi can be quickly disabled/enabled by pressing the WPS button. WPS should be disabled period which makes this button useless otherwise and this option provides a quick way to kill the radios in case of an accidental misconfiguration. Additionally I have deployed numerous solutions where having a wireless network on 24/7 provides no utility other than an increased attack surface - except on rare occasions where administration etc. is more conveniently accomplished over the air (as opposed to hanging off the device with the only 6 foot cat5 in eyeshot) and this is a great feature to have in those situations.
  7. Take a snapshot of your NVRAM settings. Before you go screwing with things like VLAN configuration and lose the default configuration forever, log in to the shell and dump the key=value pairs into a text file then store it somewhere persistent - ideally off-host - for safekeeping.
    nvram show > ~/nvram.bak

Failed to mount /sysroot on RedHat (CentOS/RHEL/Fedora/Rocky Linux)

karma

Power outage, VM tanked, whatever the reason you may need to run xfs_repair from the recovery console.
Mounting /sysroot... [ ***] A start job is running for /sysroot (3min 59s / 4min 31s)[240.527013] INFO: task mount:406 blocked for more than 120 seconds. [ 240.527056] "echo 0 > /proc/sys/kernel/hung_task_timeout+secs" disables this message." [FAILED] Failed to mount /sysroot. See 'systemctl status sysroot.mount' for more details. [DEPEND] Dependency failed for Initrd Root File System. [DEPEND] Dependency failed for Reload Configration from the Real Root. [ OK ] Stopped dracut pre-pivot and cleanup hook. [ OK ] Stopped target Initrd Default Target. [ OK ] Reached target Initrd File System. [ OK ] Stopped dracut mount hook. [ OK ] Stopped target Basic System. [ OK ] Stopped System Initialization. Starting Emergency Shell... Genrating "/run/initramfs/rdsosreport.txt" Entering emergancy mode. Exit the shell to continue. Type "journalctl" to view system logs. You might want to save "/run/initramfs/rdsosreport.txt" to usb stick or /boot after mounting them and attach it to a bug report. :/#

Solution:
xfs_repair -v /dev/dm-0
Be sure to include any other volumes before rebooting, i.e.: /dev/dm-1.

Credit to https://unix.stackexchange.com/questions/337289/how-to-repair-centos-failed-to-mount-sysroot for full error message copypasta. Mine was in a GUI in an RDP in a bump in a hole in the log down by the river~