Lehky kolovy tucnak

Ani balik neodstranis, protoze je to v zavislostech…!

# rm -rfv /etc/ssl/certs
$ echo "check-certificate = off" > $HOME/.wgetrc

Edit “/etc/default/grub”

GRUB_CMDLINE_LINUX_DEFAULT="quiet nouveau.modeset=0 net.ifnames=0 biosdevname=0"

Zakaz IPv6 v /etc/sysctl.d/ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.<device>.disable_ipv6 = 1

$ gsettings set org.mate.Marco.window-keybindings minimize Super_L
$ gsettings set org.mate.Marco.general button-layout 'close,maximize,minimize:'

$ gsettings set org.mate.caja.desktop computer-icon-visible false
$ gsettings set org.mate.caja.desktop home-icon-visible false
$ gsettings set org.mate.caja.desktop network-icon-visible false
$ gsettings set org.mate.caja.desktop trash-icon-visible false
$ gsettings set org.mate.caja.desktop volumes-icon-visible true

Odriznuti prohlizece nebo jineho nebezpecneho SW od dat bezneho uzivatele (sachy) tim, ze se bude spoustet pod vlastnim neprivilegovanym uzivatelem (ffuser). Obdobne pro jiny crapware…

# echo "sachy ALL=(ffuser) NOPASSWD: /home/ffuser/firefox/firefox" >> /etc/sudoers
$ xhost +si:localuser:ffuser # povolit ffuserovi pouzit $DISPLAY
...
$ sudo -u ffuser /home/ffuser/firefox/firefox

Finch je TUI irc/jabber/… komunikator nad libpurple0 (oboji soucast pidginu, ale pouzitelne samostatne). V debian-like distrech terminalovy klient zavisi na fontech a dalsich GUI nesmyslech.

Stazeni .deb a rozbaleni:

$ apt-get download finch libpurple0
$ dpkg-deb -R ./finch<verze>.deb ./fmin
$ dpkg-deb -R ./libpurple0<verze>.deb ./lp0min

Nahrazeni zavislosti finche (./fmin/DEBIAN/control) Pozor na nazev “finch” → “finch-minimal” a zavislost “libpurple0” → “libpurple0-minimal”!

Package: finch-minimal
Source: finch-minimal
Version: 2.11.0-0+deb8u1
Architecture: amd64
Maintainer: Ari Pollak <ari@debian.org>
Installed-Size: 744
Depends: libc6 (>= 2.14), libglib2.0-0 (>= 2.35.9), libncursesw5 (>= 5.6+20070908), libpurple0-minimal (>= 2.8.0), libtinfo5, libxml2 (>= 2.7.4)

Podobne pro libpurple0 (./lp0min/DEBIAN/control)

Package: libpurple0-minimal
Source: libpurple0-minimal
Version: 2.11.0-0+deb8u1
Architecture: amd64
Maintainer: Ari Pollak <ari@debian.org>
Installed-Size: 4861
Depends: libc6 (>= 2.15), libdbus-1-3 (>= 1.0.2), libdbus-glib-1-2 (>= 0.78), libglib2.0-0 (>= 2.37.3), libidn11 (>= 1.13), libnspr4 (>= 2:4.9-2~) | libnspr4-0d (>= 1.8.0.10), libnss3 (>= 2:3.14), libperl5.20 (>= 5.20.2), libsasl2-2, libxml2 (>= 2.7.4), perl-base (>= 5.20.2-3+deb8u5), perlapi-5.20.2, libsasl2-modules
Suggests: libtcl8.6 (>= 8.6.0)

Instalace upravenych baliku:

$ dpkg-deb --build ./fmin ./
$ dpkg-deb --build ./lp0min ./
# dpkg -i ./finch-minimal<verze>.deb ./libpurple0-minimal<verze>.deb
# apt-get install -f # dotazeni zavislosti

Pripadne, pokud nekdo chce kompilovat, tak: (pozor na –with-static-prpls=“<protokoly>”)

$ ./configure --disable-gtkui --disable-screensaver --disable-sm --disable-startup-notification --disable-gtkspell --disable-gevolution --disable-cap --disable-gestures --disable-schemas-install --disable-gstreamer --disable-gstreamer-video --disable-gstreamer-interfaces --disable-farstream --disable-vv --disable-meanwhile --disable-avahi --disable-nm --disable-plugins --disable-perl --enable-gnutls=yes --enable-nss=yes --disable-tcl --disable-tk --disable-pixmaps-install --disable-doxygen --disable-dot --with-static-prpls="irc jabber" --disable-idn --disable-dbus --with-x=no --enable-consoleui --disable-nls
$ make -j 1
# make install
# make checkinstall

Profit!

/usr/share/nano/mutt.nanorc

## Here is an example for quoted emails (under e.g. mutt).
##
syntax "mutt"
color yellow  "^>.*"
color green  "^> >.*"
color yellow  "^Subject: .*"
color yellow  "^From: .*"
color yellow  "^Date: .*"

# echo 'include "/usr/share/nano/mutt.nanorc"' >> /etc/nanorc
$ echo 'set editor="nano --syntax=mutt "' >> $HOME/.mutt/muttrc

Maily z Utlouku ci jineho bazmekwaru produkujiciho straslivy “mimetype: text/html” humus lze umravnit odstranenim XML ze zprav (.mutt/muttrc):

set display_filter = " sed -e 's/<[^><]*>//g' "

Je to ale jen hotfix (utloucke maily jsou chvalne v text-only klientech necitelne zprasene) plny escape bugu. Lynx -dump je urcite lepsi reseni, ale ne vsude dostupne.

Nekteri poskytovalete maji pocit, ze vsechna odchozi posta musi projit pres jejich SMTP server a ostatni SMTPS spojeni zariznou. Rucne menit konfiguraky pri prechodech je otrava, pomuze script :)

V globalnim muttrc je asi neco takoveho (makra na zmenu schranky, dle poctu ruznych mailu):

macro index <f4> '<enter-command>source $HOME/.mutt/MAILBOX.muttrc<enter><change-folder>!<enter>'

MAILBOX.muttrc jsou specificke volby pro danou schranku. Je tedy potreba je vygenerovat z predlohy a docpat tam spravny smtp_url, pripadne dalsi upravy dle poskytovatele.

mutt1.sh

#!/bin/bash

cp -f $HOME/.mutt/MAILBOX.muttrc.src $HOME/.mutt/MAILBOX.muttrc
echo 'set smtp_url="smtps://such.security.wtf"' >> $HOME/.mutt/MAILBOX.muttrc

mutt
exit

Podobne pro dalsi poskytovatele mutt2.sh atd. Generatory lze ulozit bud do /usr/local/bin nebo pres alias do .bashrc a pak mutt spoustet generatorem, nikoli rovnou.

Gnupg-2.1 zmenilo API, takze mutt s nim nefunguje. Je potreba zmenit parametry:

set pgp_decode_command="gpg %?p?--pinentry-mode loopback  --passphrase-fd 0? --verbose --no-auto-check-trustdb --batch --output - %f"
set pgp_verify_command="gpg --pinentry-mode loopback --verbose --batch --output - --no-auto-check-trustdb --verify %s %f"
set pgp_decrypt_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - %f"
set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f"
set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f"
set pgp_encrypt_sign_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --textmode --trust-model always --output - %?a?-u %a? --armor --encrypt --sign --armor -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --trust-model always --output --output - --encrypt --textmode --armor -- -r %r -- %f"
set pgp_import_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --import -v %f"
set pgp_export_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --export --armor %r"
set pgp_verify_key_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-secret-keys %r"

viz: https://robbat2.livejournal.com/241544.html?nojs=1

Nektera dialogova okna maji klikaci odkaz u ktereho nejde zjistit cilova adresa, nebo se crapware snazi otevrit nejaky web sam od sebe. Resenim je nahradit vychozi browser dialogovym oknem, ktery onen odkaz zobrazi.

Fake browser: /opt/displaylink.sh

#!/bin/bash
zenity --info --text="$1"
exit

Nastaveni MitM jako defaultniho browseru (system-wide):

# update-alternatives --install /opt/x-www-browser x-www-browser /opt/displaylink.sh 666

user-wide /usr/share/applications/displaylink.desktop

[Desktop Entry]
Version=1.0
Name=Displaylink     
Exec=/opt/displaylink.sh %U
Terminal=false
Type=Application

a pak pro http, https, ftp, …:

 
$ sed -i 's/x-scheme-handler\/http=.*/x-scheme-handler\/http=displaylink.desktop/g' $HOME/.config/mimeapps.list

V HOME se tvori zbytecny, obrovsky log .xsession-errors a .xsession-errors.old. Presmerovani do /dev/null nepomaha, Xka si ho zase nahradi za bezny soubor.

Takhle se ho da zbavit:

# echo "exec >> /dev/null 2>&1" > /etc/X11/Xsession.d/05-noerr
# chmod +x /etc/X11/Xsession.d/05-noerr

v /etc/fstab se da pripojovat filesystem s volbami “noatime,nodiratime”, coz zakaze aktualizace casu pristupu k souboru/adresari (IMHO uplne zbytecny timestamp).

Zruseni xsession-errors (viz vyse)

/var/log se da mountit jako tmpfs.

none	/var/log	tmpfs	size=100M,mode=777,noatime,nodiratime	0	0

~.cache je trikove - ukladaji se tam napriklad nahledy medialnich souboru (kdo pracuje s mc, tak nahledy nepotrebuje), dconf “dvoubajtovy binarni blob”… Takze muze byt uzitecne si .cache presunout do tmpfs/nullfs:

$ rm -rfv $HOME/.cache
$ ln -s /dev/shm $HOME/.cache
$ rm -rfv $HOME/.mozilla/firefox/<profil>/cache
$ ln -s /dev/shm $HOME/.mozilla/firefox/<profil>/cache

Pulseaudio si v /dev/shm dela 64MiB binarni bloby (pulseaudio-shm-*) a NEMAZE je po sobe, cimz efektivne zere “cached” (protoze tmpfs) RAM.

Pokud se tyhle bloby zakazou, podle internetu muze vzrust latence (ale nepozoroval jsem)…

Nastesti se to da zakazat upravou /etc/pulse/daemon.conf (pozor na strednik na zacatku radku)

enable-shm = no

Devuan (MATE 1.8) se neumi uspat do RAM i s nainstalovanym acpi a pm-utils. Je potreba vyresit uspani a zaroven zamkuti obrazovky (pm-suspend jen uspi, ale nezamkne).

Pokud se pm-suspend zavola pred dokoncenim zamknuti (je-li screensaver nastaveny na fade-to-black), po probuzeni jsou v obraze artefakty a muze leaknout buffer desktopu pred zamcenim.

Distribucni script /etc/acpi/lid.sh vola (pokud existuje a je spustitelny) soubor /etc/acpi/local/lid.sh.pre (pravdepodobné neexistuje → vytvor):

grep -q closed /proc/acpi/button/lid/*/state
if [ $? = 0 ]; then
	xscreensaver-command -display :0.0 -lock && sleep 3; pm-suspend
fi

Nekdy je jeste potreba vytvorit event pro acpid /etc/acpi/events/lid

event=button/lid LID [^o]
action=/etc/acpi/lid.sh

Kdyz diskretni grafika jenom zere baterku a nani potreba, tak se da defaultne vypnout:

# apt-get install bbswitch-dkms
# echo "bbswitch load_state=0" >> /etc/modules
# update-initramfs -u -v

Pripadne rucne:

# echo "OFF" > /proc/acpi/bbswitch
# echo "ON" > /proc/acpi/bbswitch

Vyhledavac DDG umi vysledky poskytovat bez JS v cistem HTML, pripadne vyhledavat primo obrazky. Umi taky parametricky vypnout “filtrovani nevhodneho obsahu” (GET parametr “kp=-2”). Udelal jsem adekvatni searchpluginy do firefoxu:

HTML only, vypnute filtrovani:

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
<os:ShortName>DuckDuckGoGG HTML</os:ShortName>
<os:Description>Search DuckDuckGoGG (HTML)</os:Description>
<os:InputEncoding>UTF-8</os:InputEncoding>
<os:Url type="text/html" method="GET" template="https://duckduckgo.com/html/">
  <os:Param name="q" value="{searchTerms}"/>
	<Param name="kp" value="-2"/>
</os:Url><os:Url type="application/x-suggestions+json" method="GET" template="https://duckduckgo.com/?q={searchTerms}&amp;kp=-2&amp;type=list">
</os:Url>
</SearchPlugin>

Hledani rovnou obrazku:

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
<os:ShortName>DuckDuckGoGG Img</os:ShortName>
<os:Description>Search DuckDuckGoGG (Image)</os:Description>
<os:InputEncoding>UTF-8</os:InputEncoding>
<os:Url type="text/html" method="GET" template="https://duckduckgo.com/">
  <os:Param name="q" value="{searchTerms}"/>
	<Param name="kp" value="-2"/>
	<Param name="iar" value="images"/>
	<Param name="type" value="list"/>
</os:Url><os:Url type="application/x-suggestions+json" method="GET" template="https://duckduckgo.com/?iar=images&amp;q={searchTerms}&amp;kp=-2">
</os:Url>
</SearchPlugin>

Ulozit do $HOME/.mozilla/firefox/PROFIL/searchplugins/NAZEV_VYHLEDAVACE.xml

echo 'ACTION==“add”,KERNEL==“sd*”,RUN==“/bin/true”' » /etc/udev/rules.d/noautomount.rules

Nejaky idiot implementoval default, ze kdyz pri bootu neni link na eth, tak se musi pockat 90s a on se mozna zazracne objevi.

Reseni je snadne: na zacatek /etc/init.d/networking nacpat “exit 0”

https://www.root.cz/clanky/rizeni-toku-algoritmem-bbr-buldozer-nebere-ohledy-na-ostatni-spojeni/

# echo "tcp_bbr" >> /etc/modules
# echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.d/bbr.conf

set smooth
set softwrap
set tabsize 2
set constantshow
unset locking
bind ^L copytext all

Nejaky debil vymyslel a defaultne zapnul ukladani URL stahovaneho souboru do xattr. Informace samotná je uložena jako vlastnost user.xdg.origin.url, případně user.xdg.referrer.url

By default se tak chova wget (při kompilaci vypnout parametrem –disable-xattr; za běhu –no-xattr) a chromajzl.

https://www.root.cz/clanky/atributy-souboru-mohou-obsahovat-url-ze-ktere-byl-soubor-stazen/

“bc” zahazuje 0 na zacatku desetinnych cisel, protoze americani maji vseobecne s cislama problem (a neexistuje ani zadny prepinac ktery by to zapnul)

echo "5*0.1" | bc
.5

Nastesti co nedokaze basic calculator, dokaze sed… Fix do .bashrc:

alias bc="bc | sed -e 's/^\./0./g' -e 's/^-\./-0./g'"