Commit 58f005b5 authored by segfault's avatar segfault
Browse files

Merge commit '70091e58' (Tails 3.0~beta3 release) into feature/5688-tails-server

parents e8adad89 70091e58
......@@ -14,11 +14,10 @@ echo "Removing unwanted packages"
apt-get --yes purge \
'^linux-kbuild-*' \
'^linux-headers-*' \
'^linux-source-*' \
build-essential debhelper dkms dpatch dpkg-dev \
gcc gcc-4.8 gcc-4.9 gcc-5 gcc-5-base gcc-6 \
build-essential debhelper dkms dpkg-dev \
gcc gcc-6 \
intltool-debian \
libc6-dev libgl1-mesa-dev linux-libc-dev \
libc6-dev linux-libc-dev \
make \
po-debconf \
rsyslog \
......@@ -29,26 +28,18 @@ apt-get --yes purge \
### since they have Priority: standard.
apt-get --yes purge \
apt-listchanges \
at \
bsd-mailx \
dc \
debian-faq \
doc-debian \
'^exim4*' \
ftp \
m4 \
mlocate \
mutt \
ncurses-term \
nfs-common \
portmap \
procmail \
python3-reportbug \
reportbug \
telnet \
texinfo \
time \
w3m \
wamerican
### Deinstall some other unwanted packages.
......@@ -59,7 +50,6 @@ apt-get --yes purge \
libdvdcss2-dbgsym \
live-build \
locales \
paxctld \
rpcbind \
tasksel \
tasksel-data \
......
......@@ -21,7 +21,7 @@
### Init variables
TORDATE_DIR=/var/run/tordate
TORDATE_DIR=/run/tordate
TORDATE_DONE_FILE=${TORDATE_DIR}/done
TOR_CONSENSUS=${TOR_DIR}/cached-microdesc-consensus
TOR_UNVERIFIED_CONSENSUS=${TOR_DIR}/unverified-microdesc-consensus
......@@ -48,10 +48,6 @@ if [ -e "$TORDATE_DONE_FILE" ]; then
fi
### Create status directory
install -o root -g root -m 0755 -d ${TORDATE_DIR}
### Functions
log() {
......
#!/bin/sh
# I2P isn't started automatically at system boot.
# Instead, it is started with this hook script.
# Import i2p_is_enabled().
. /usr/local/lib/tails-shell-library/i2p.sh
# Don't even try to run this script if I2P is not enabled.
i2p_is_enabled || exit 0
# don't run if interface is 'lo'
if [ -z "$1" ] || [ "$1" = "lo" ]; then
exit 0
fi
if [ "$2" = "up" ]; then
/usr/local/sbin/tails-i2p start &
fi
......@@ -3,11 +3,6 @@
# Configuration file for ferm(1).
#
# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
# only be enabled if the string "i2p" is entered at the boot prompt.
# Deny or reject rules affecting "i2psvc" will always be set.
def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
# When ferm starts initially during early boot, the "amnesia" user does not
# exist yet, so we have to use its UID (#7018).
def $amnesia_uid = 1000;
......@@ -74,42 +69,12 @@ domain ip {
mod owner uid-owner $amnesia_uid ACCEPT;
}
# Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
daddr 127.0.0.1 proto udp dport 5353 {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to the accessibility daemon
daddr 127.0.0.1 proto tcp syn dport 4101 {
mod owner uid-owner $amnesia_uid ACCEPT;
mod owner uid-owner Debian-gdm ACCEPT;
}
# White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
@if $use_i2p mod owner uid-owner $amnesia_uid ACCEPT;
}
# Whitelist access to I2P services for the i2psvc user,
# otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
# accessed by the webmail app
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# Whitelist access to the i2pbrowser user
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
@if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
}
# White-list access to the java wrapper's (used by I2P) control ports
# (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
# If, for example, port 31000 is in use, it'll try the next one in sequence.
daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to CUPS
daddr 127.0.0.1 proto tcp syn dport 631 {
mod owner uid-owner $amnesia_uid ACCEPT;
......@@ -122,7 +87,7 @@ domain ip {
# White-list access to OnionShare
daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
mod owner uid-owner amnesia ACCEPT;
mod owner uid-owner $amnesia_uid ACCEPT;
}
}
......@@ -136,14 +101,13 @@ domain ip {
}
# Local network connections should not go through Tor but DNS shall be
# rejected. I2P is explicitly blocked from communicating with the LAN.
# (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
# rejected. (Note that we exclude the VirtualAddrNetwork used for
# .onion:s here.)
daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
proto tcp dport domain REJECT;
proto udp dport domain REJECT;
proto tcp dport netbios-ns REJECT;
proto udp dport netbios-ns REJECT;
mod owner uid-owner i2psvc REJECT;
ACCEPT;
}
......@@ -152,11 +116,6 @@ domain ip {
proto tcp syn mod state state (NEW) ACCEPT;
}
# i2p is allowed to do anything it wants to on the internet.
outerface ! lo mod owner uid-owner i2psvc {
@if $use_i2p proto (tcp udp) ACCEPT;
}
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
REJECT reject-with icmp-port-unreachable;
......
blacklist mei-me
blacklist mei
install mei-me /bin/true
install mei /bin/true
# Protect against CVE-2017-2636
install n-hdlc /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
[Options]
ShowSysTrayIcon=true
MinimizeTray=true
MinimizeToTray=false
AutoSaveChange=true
LastFile=/home/amnesia/Persistent/keepassx.kdb
[FileDlgHistory]
ENTRY0=MainWindow_FileSave, /home/amnesia/Persistent/, 0
[General]
ShowToolbar=true
LastOpenedDatabases=/home/amnesia/Persistent/keepassx.kdbx
LastDatabases=/home/amnesia/Persistent/keepassx.kdbx
LastDir=/home/amnesia/Persistent/
\ No newline at end of file
<?xml version='1.0' encoding='UTF-8' ?>
<purple version='1.0'>
<blist>
<group name='Discussions'>
<setting name='collapsed' type='bool'>0</setting>
<chat proto='prpl-irc' account='XXX_NICK_XXX@127.0.0.1'>
<component name='channel'>#i2p</component>
</chat>
</group>
</blist>
<privacy>
<account proto='prpl-irc' name='XXX_NICK_XXX@irc.oftc.net' mode='1'/>
<account proto='prpl-irc' name='XXX_NICK_XXX@127.0.0.1' mode='1'/>
</privacy>
</purple>
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux, /usr/bin/nocache /bin/cp *
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
......
pref("extensions.torbirdy.custom.network.proxy.socks_port", 9061);
pref("extensions.torbirdy.emailwizard", true);
pref("extensions.torbirdy.custom.extensions.enigmail.already_torified", true);
pref("extensions.torbirdy.gpg_already_torified", true);
......@@ -41,7 +41,7 @@ Start_readahead ()
(cd /
start-stop-daemon \
--start --background --make-pidfile --startas /bin/sh \
--pidfile /var/run/background-readahead.pid -- \
--pidfile /run/background-readahead.pid -- \
-c "$BG_FILES | xargs cat >/dev/null 2>&1")
# Creating state file
......
......@@ -8,6 +8,9 @@ sed -i 's,^\(\#\?\s*deb\(-src\)\?\s\+\)http://,\1tor+http://,' \
sed -E -i 's,\s+non-free$,,' \
/etc/apt/sources.list /etc/apt/sources.list.d/*.list
sed -E -i '/^deb(-src)?\s+\S+\s+\S+-proposed-updates\s+/d' \
/etc/apt/sources.list /etc/apt/sources.list.d/*.list
echo '
### Time-based snapshots
......@@ -85,3 +88,5 @@ s{
}{$1tor+http://jenw7xbd6tf7vfhp.onion/$2}xms;
' | perl -pi - /etc/apt/sources.list /etc/apt/sources.list.d/*.list
find /etc/apt/sources.list* -size 0 -delete
......@@ -6,7 +6,6 @@ Import_GnuPG_key ()
sudo -H -u "${LIVE_USERNAME}" gpg --batch --import /usr/share/doc/tails/website/*.key
echo "- importing GnuPG signing key into tails-iuk's trusted keyring"
mkdir -p /usr/share/tails-iuk/trusted_gnupg_homedir
gpg --batch --homedir /usr/share/tails-iuk/trusted_gnupg_homedir \
--import /usr/share/doc/tails/website/tails-signing.key
chmod -R go+rX /usr/share/tails-iuk/trusted_gnupg_homedir/*
......
#!/bin/sh
install -m 0775 -o root -g tails-upgrade-frontend -d /var/run/tails-upgrader
#!/bin/sh
# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
# when the string "i2p" is added to the boot prompt.
# Import i2p_is_enabled().
. /usr/local/lib/tails-shell-library/i2p.sh
SRC="/usr/share/tails/i2p-disabled"
Install_I2P(){
mv "$SRC/wrapper" /usr/sbin/wrapper
mv "$SRC/i2p-browser.desktop" /usr/share/applications
mv "$SRC/i2p" /usr/share
rmdir "$SRC"
}
Add_Sudo_Config(){
echo "amnesia ALL = NOPASSWD: /usr/local/sbin/i2p-browser" > /etc/sudoers.d/zzz_i2pbrowser
chown root:root /etc/sudoers.d/zzz_i2pbrowser
chmod 0440 /etc/sudoers.d/zzz_i2pbrowser
}
if i2p_is_enabled && [ -d "$SRC" ]; then
Install_I2P
Add_Sudo_Config
fi
......@@ -17,7 +17,6 @@ ExecStartPre=/bin/sh -c \
[ -n "${HTP_POOL_FOE}" ]'
ExecStartPre=/bin/rm -f "${DONE_FILE}"
ExecStartPre=/bin/rm -f "${SUCCESS_FILE}"
ExecStartPre=/usr/bin/install -o root -g root -m 0755 -d /run/htpdate
ExecStartPre=/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
ExecStart=/usr/local/sbin/htpdate \
--debug \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment