Commit 0c274d64 authored by amnesia's avatar amnesia
Browse files

Merge branch 'master' into squeeze

Conflicts:
	config/chroot_apt/preferences
	config/chroot_local-hooks/50-virtualbox
parents f86cd49d 07680603
......@@ -35,9 +35,9 @@ chmod -R go+rx config/chroot_local-includes/usr/local/sbin
# build the image
case "$LH_BINARY_IMAGES" in
iso)
iso|iso-hybrid)
BUILD_FILENAME_EXT=iso
BUILD_FILENAME=binary
BUILD_FILENAME=binary-hybrid
;;
tar)
BUILD_FILENAME_EXT=tar.gz
......@@ -61,18 +61,10 @@ BUILD_LOG="${BUILD_DEST_FILENAME}.buildlog"
echo "Building $LH_BINARY_IMAGES image ${BUILD_BASENAME}..."
if lh build noauto ${@} 2>&1 | tee "${BUILD_LOG}" ; then
echo "Image was successfully created"
if [ "${LH_BINARY_IMAGES}" = iso ]; then
if [ -x "`which isohybrid`" -a "${LH_ARCHITECTURE}" = 'i386' ]; then
echo "Turning the ISO image into a hybrid one..."
isohybrid $AMNESIA_ISOHYBRID_OPTS "${BUILD_FILENAME}.${BUILD_FILENAME_EXT}"
else
echo "isohybrid was not found, the ISO image won't be a hybrid one"
fi
fi
echo "Renaming generated files..."
mv -i "${BUILD_FILENAME}.${BUILD_FILENAME_EXT}" "${BUILD_DEST_FILENAME}"
mv -i "${BUILD_FILENAME}.list" "${BUILD_MANIFEST}"
mv -i "${BUILD_FILENAME}.packages" "${BUILD_PACKAGES}"
mv -i binary.list "${BUILD_MANIFEST}"
mv -i binary.packages "${BUILD_PACKAGES}"
else
echo "lh build failed." >&2
exit 1
......
......@@ -15,7 +15,8 @@ $RUN_LH_CONFIG --distribution squeeze ${@}
# set Amnesia's general options
$RUN_LH_CONFIG \
--apt-recommends false \
--binary-images iso \
--binary-images iso-hybrid \
--isohybrid-options "$AMNESIA_ISOHYBRID_OPTS" \
--bootappend-live "${AMNESIA_APPEND}" \
--archive-areas "main contrib non-free" \
--hostname="amnesia" \
......
#!/bin/bash
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing buggy syslinux help')"
......@@ -21,7 +21,7 @@ Echo_message "removing buggy syslinux help"
# Setting boot method specific variables
case "${LH_BINARY_IMAGES}" in
iso)
iso|iso-hybrid)
SYSLINUX_PATH="binary/isolinux"
;;
usb-hdd)
......
#!/bin/bash
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'internationalizing the syslinux menu')"
......@@ -27,7 +27,7 @@ fi
# Setting boot method specific variables
case "${LH_BINARY_IMAGES}" in
iso)
iso|iso-hybrid)
SYSLINUX_PATH="binary/isolinux"
;;
usb-hdd)
......
Package: live-helper
Pin: release a=testing
Pin-Priority: 999
Package: *
Pin: release a=testing
Pin-Priority: 900
......
#!/bin/sh
# Create the ntpdate user.
# Create the htp user.
#
# We run ntpdate as this user, so that we can whitelist its
# We run htpdate as this user, so that we can whitelist its
# non-Torified outgoing packets.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'creating the ntpdate user')"
DESCRIPTION="$(Echo 'creating the htp user')"
HELP=""
USAGE="${PROGRAM}"
......@@ -17,6 +17,6 @@ USAGE="${PROGRAM}"
Read_conffiles config/all config/common config/chroot
Set_defaults
Echo_message "creating the ntpdate user"
Echo_message "creating the htp user"
adduser --system --quiet --group --no-create-home ntpdate || :
adduser --system --quiet --group --no-create-home htp || :
#!/bin/sh
# Remove Debian's ntpdate hook.
#
# Due to the weird environment we run in, we install our own custom
# hook (namely /etc/NetworkManager/dispatcher.d/50-ntp.sh) via
# config/chroot_local-includes.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing Debian ntpdate hook')"
HELP=""
USAGE="${PROGRAM}"
# Reading configuration files
Read_conffiles config/all config/common config/chroot
Set_defaults
Echo_message "removing Debian ntpdate hook"
rm --force /etc/network/if-up.d/ntpdate
......@@ -3,7 +3,7 @@
# Remove pdnsd's resolvconf hook.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing pdnsd resolvconf hook')"
......
......@@ -4,7 +4,7 @@
# security issues far too often.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing pidgin MSN support')"
......
......@@ -3,7 +3,7 @@
# Remove unwanted iceweasel search plugins.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing unwanted iceweasel search plugins')"
......
......@@ -3,7 +3,7 @@
# Build binary sqlite iceweasel files from plain text SQL files.
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'building iceweasel sqlite files')"
......
......@@ -3,7 +3,7 @@
# Set the correct firegpg version in /etc/iceweasel/profile/user.js
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'recording firegpg version')"
......
#!/bin/sh
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'add modules to /etc/modules')"
......
......@@ -3,7 +3,7 @@
# Install modules managed by module-assistant
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'installing modules managed by module-assistant')"
......
#!/bin/sh
# Including common functions
. "${LH_BASE:-/usr/share/live-helper}"/live-helper.sh
. "${LH_BASE:-/usr/share/live-helper}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'removing development packages')"
......@@ -28,7 +28,6 @@ aptitude --assume-yes purge \
g++ g++-4.3 \
libc6-dev linux-libc-dev \
libgomp1 \
libtimedate-perl \
make \
module-assistant \
virtualbox-ose-guest-dkms
#!/bin/bash
# Rationale: Tor needs a somewhat accurate clock to work, and for that
# HTP is currently the only practically usable solution when one wants
# to authenticate the servers providing the time. We then need to get
# the IPs of a bunch of HTTPS servers.
# However, since all DNS lookups are normally made through the Tor
# network, which we are not connected to at this point, we use the
# local DNS servers obtained through DHCP if possible, or the OpenDNS
# ones, else.
# To limit fingerprinting possibilities, we do not want to send HTTP
# requests aimed at an IP-based virtualhost such as https://IP/, but
# rather to the usual hostname (e.g. https://www.eff.org/) as any
# "normal" user would do. Once we have got the HTTPS servers IPs, we
# write these to /etc/hosts so the system resolver knows about them.
# htpdate is then run, and we eventually remove the added entries from
# /etc/hosts.
# Note that all network operations (host, htpdate) are done with the
# htp user, who has an exception in the firewall configuration
# granting it direct access to the needed network ports.
# That's why we tell the htpdate script to drops priviledges and run
# as the htp user all operations but the actual setting of time, which
# has to be done as root.
# Run whenever an interface gets "up", not otherwise:
if [[ $2 != "up" ]]; then
exit 0
fi
LOG=/var/log/nm-htp.log
HTPDATE_LOG=/var/log/htpdate.log
declare -a HTP_POOL
HTP_POOL=(
'www.torproject.org'
'mail.riseup.net'
'www.google.com'
'secure.wikimedia.org'
)
BEGIN_MAGIC='### BEGIN HTP HOSTS'
END_MAGIC='### END HTP HOSTS'
if [[ -n "${DHCP4_DOMAIN_NAME_SERVERS}" ]]; then
NAME_SERVERS="${DHCP4_DOMAIN_NAME_SERVERS}"
else
NAME_SERVERS="208.67.222.222 208.67.220.220"
fi
echo "Will use these nameservers: ${NAME_SERVERS}" >>$LOG
cleanup_etc_hosts() {
echo "Cleaning /etc/hosts" >>$LOG
local tempfile
tempfile=`mktemp -t nm-htp.XXXXXXXX`
where=outside
cat /etc/hosts | while read line ; do
if [ "$where" = inside ]; then
if [ "$line" = "$END_MAGIC" ]; then
where=outside
fi
else
if [ "$line" = "$BEGIN_MAGIC" ]; then
where=inside
else
echo "$line" >> $tempfile
fi
fi
done
chmod 644 "$tempfile"
mv "$tempfile" /etc/hosts
}
echo "${BEGIN_MAGIC}" >> /etc/hosts
for HTP_HOST in ${HTP_POOL[*]} ; do
DNS_QUERY_CMD=`for NS in ${NAME_SERVERS}; do
echo -n "|| host ${HTP_HOST} ${NS} ";
done | \
tail --bytes=+4`
IP=$(sudo -u htp sh -c "${DNS_QUERY_CMD}" | \
grep "has address" | \
head -n 1 | \
cut -d ' ' -f 4)
if [[ -z ${IP} ]]; then
echo "Failed to resolve ${HTP_HOST}" >>$LOG
echo "${END_MAGIC}" >> /etc/hosts
cleanup_etc_hosts
exit 17
else
echo "${IP} ${HTP_HOST}" >> /etc/hosts
fi
done
echo "${END_MAGIC}" >> /etc/hosts
touch "${HTPDATE_LOG}"
chown htp:nogroup "${HTPDATE_LOG}"
chmod 600 "${HTPDATE_LOG}"
/usr/local/sbin/htpdate \
-d \
-l "${HTPDATE_LOG}" \
-a "`/usr/local/bin/getTorbuttonUserAgent`" \
-f \
-p \
-u htp \
${HTP_POOL[*]}
HTPDATE_RET=$?
echo "htpdate exited with return code ${HTPDATE_RET}" >>$LOG
cleanup_etc_hosts
exit ${HTPDATE_RET}
#!/bin/bash
# Rationale: Tor needs a somewhat accurate clock to work, and for that
# NTP is ideal. We then need to get the IPs of a bunch of NTP servers.
# However, since DNS lookups are made through the Tor network, we use
# the local DNS servers obtained through DHCP if possible, or the
# OpenDNS ones, else.
# Note that all network operations (host, ntpdate) are done with the ntpdate
# user, who has an exception in the firewall configuration granting it direct
# access to the network, which is necessary. The ntpdate user doesn't have the
# privilege to run adjtime()/settimeofday() so we only use ntpdate to query
# the time difference/offset and run date as root to set the time.
# Run whenever an interface gets "up", not otherwise:
if [[ $2 != "up" ]]; then
exit 0
fi
NTP_POOL="pool.ntp.org"
if [[ -n "${DHCP4_DOMAIN_NAME_SERVERS}" ]]; then
NAME_SERVERS="${DHCP4_DOMAIN_NAME_SERVERS}"
else
NAME_SERVERS="208.67.222.222 208.67.220.220"
fi
DNS_QUERY_CMD=`for NS in ${NAME_SERVERS}; do
echo -n "|| host ${NTP_POOL} ${NS} ";
done | \
tail --bytes=+4`
I=0
for X in $(sudo -u ntpdate sh -c "${DNS_QUERY_CMD}" | \
grep "${NTP_POOL} has address" | \
cut -d ' ' -f 4); do
NTP_ADDR[${I}]="${X}"
I=$[${I}+1]
done
if [[ ${I} -eq 0 ]]; then
echo "Failed to resolve pool.ntp.org" >&2
exit 1
fi
I=0
NTP_OFFSET=""
while [[ -n ${NTP_ADDR[${I}]} ]] && [[ -z ${NTP_OFFSET} ]]; do
NTP_ANSWER=$(sudo -u ntpdate ntpdate -s -u -q ${NTP_ADDR[${I}]})
# On success, grep the offset (including sign). Note that it gets
# truncated -- anything below whole seconds are beyond date's
# precision anyway.
if [[ $? -eq 0 ]]; then
NTP_OFFSET=$(echo ${NTP_ANSWER} | sed -e "s/^.*offset \(-\?[[:digit:]]\+\)\..*$/\1/")
fi
I=$[${I}+1]
done
if [[ -z ${NTP_OFFSET} ]]; then
echo "ntpdate failed" >&2
exit 1
fi
# Get a date compatible string of the correct time (by current time modified
# by the offset) and then use it to set the system time.
DATE_STRING=$(date --date "${NTP_OFFSET} seconds" +%m%d%H%M%Y.%S) && \
date ${DATE_STRING} &> /dev/null
exit $?
# /etc/default/openntpd
# Uncomment to set the system time when starting in case the offset
# between the local clock and the servers is more than 180 seconds.
# For other options, see man ntpd(8).
DAEMON_OPTS="-s"
......@@ -16,12 +16,11 @@
# Tor is allowed to do anything it wants to.
[0:0] -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
# The ntpdate user is allowed to connect to services listening on the ntp port...
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p TCP --dport ntp -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p UDP --dport ntp -j ACCEPT
# The htp user is allowed to connect to services listening on the https port...
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport https -j ACCEPT
# ... and to services listening on the domain port.
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p TCP --dport domain -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p UDP --dport domain -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport domain -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner htp -p UDP --dport domain -j ACCEPT
# Everything else is dropped.
[0:0] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
......@@ -44,12 +43,11 @@ COMMIT
# Tor is allowed to do anything it wants to.
[0:0] -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
# The ntpdate user is allowed to connect to services listening on the ntp port...
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p TCP --dport ntp -j RETURN
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p UDP --dport ntp -j RETURN
# The htp user is allowed to connect to services listening on the https port...
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport https -j RETURN
# ... and to services listening on the domain port.
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p TCP --dport domain -j RETURN
[0:0] -A OUTPUT -m owner --uid-owner ntpdate -p UDP --dport domain -j RETURN
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport domain -j RETURN
[0:0] -A OUTPUT -m owner --uid-owner htp -p UDP --dport domain -j RETURN
# .onion mapped addresses redirection to Tor.
[0:0] -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
......
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-wifi
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Configure wireless interfaces
# Description: T(A)ILS-specific wireless configuration
### END INIT INFO
# Author: amnesia <amnesia@boum.org>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin
DESC="T(A)ILS-specific wireless configuration"
NAME=tails-wifi
IWCONFIG=/sbin/iwconfig
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$IWCONFIG" ] || exit 0
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
do_start()
{
wdevs=`iwconfig 2>/dev/null | grep -oE '^[^ ]+'`
for dev in ${wdevs}; do
iwconfig ${dev} power on
done
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Setting up $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
restart|reload|stop|force-reload)
:
;;
*)
echo "Usage: $SCRIPTNAME start" >&2
exit 3
;;
esac
:
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment