Commit 71cc895f authored by Tails developers's avatar Tails developers
Browse files

Merge branch 'devel' into feature/install-password-manager

parents 9d07f9c7 28b28bd1
......@@ -34,6 +34,7 @@ $RUN_LB_CONFIG \
--iso-volume="TAILS ${AMNESIA_FULL_VERSION}" \
--memtest none \
--packages-lists="standard" \
--tasks="standard" \
--linux-packages="linux-image-3.2.0-4" \
--syslinux-menu vesamenu \
--syslinux-splash data/splash.png \
......
This diff is collapsed.
......@@ -10,6 +10,10 @@ Package: eatmydata
Pin: origin backports.debian.org
Pin-Priority: 999
Package: ekeyd
Pin: origin backports.debian.org
Pin-Priority: 999
Package: florence
Pin: origin backports.debian.org
Pin-Priority: 999
......@@ -86,10 +90,6 @@ Package: libunix-mknod-perl
Pin: origin backports.debian.org
Pin-Priority: 999
Package: libvpx0
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: live-boot
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......@@ -298,10 +298,6 @@ Package: xul-ext-https-everywhere
Pin: release o=Debian,a=experimental
Pin-Priority: 999
Package: xul-ext-monkeysphere
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: xul-ext-noscript
Pin: release o=Debian,a=experimental
Pin-Priority: 999
......
......@@ -13,19 +13,37 @@ if [ $2 != "up" ]; then
exit 0
fi
# Import tor_control_*(), TOR_LOG
. /usr/local/lib/tails-shell-library/tor.sh
# It's safest that Tor is not running when messing with its log and
# data dir.
service tor stop
# Workaround https://trac.torproject.org/projects/tor/ticket/2355
if grep -qw bridge /proc/cmdline; then
rm -f /var/lib/tor/*
fi
# We depend on grepping stuff from the Tor log (especially for
# tordate/20-time.sh), so deleting it seems like a Good Thing(TM).
rm -f "${TOR_LOG}"
# A SIGHUP should be enough but there's a bug in Tor. Details:
# * https://trac.torproject.org/projects/tor/ticket/1247
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
restart-tor
# In bridge mode Vidalia needs to start before tordate (20-time.sh)
# since we need bridges to be configured before any consensus or
# descriptors can be downloaded, which tordate depends on.
if grep -qw bridge /proc/cmdline; then
# When using a bridge Tor reports TLS cert lifetime errors
# (e.g. when the system clock is way off) with severity "info", but
# when no bridge is used the severity is "warn". tordate/20-time.sh
# depends on grepping these error messages, so we temporarily
# increase Tor's logging severity.
tor_control_setconf "Log=\"info file ${TOR_LOG}\""
# In bridge mode Vidalia needs to start before tordate (20-time.sh)
# since we need bridges to be configured before any consensus or
# descriptors can be downloaded, which tordate depends on.
restart-vidalia
fi
......@@ -7,25 +7,23 @@
# In any case, we use HTP to ask more accurate time information to
# a few authenticated HTTPS servers.
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
# Import tor_control_*(), tor_is_working(), TOR_LOG, TOR_DIR
. /usr/local/lib/tails-shell-library/tor.sh
### Init variables
TORDATE_DIR=/var/run/tordate
TORDATE_DONE_FILE=${TORDATE_DIR}/done
TOR_LOG=/var/log/tor/log
TOR_DIR=/var/lib/tor
TOR_CONSENSUS=${TOR_DIR}/cached-microdesc-consensus
TOR_UNVERIFIED_CONSENSUS=${TOR_DIR}/unverified-microdesc-consensus
TOR_UNVERIFIED_CONSENSUS_HARDLINK=${TOR_UNVERIFIED_CONSENSUS}.bak
TOR_DESCRIPTORS=${TOR_DIR}/cached-microdescs
NEW_TOR_DESCRIPTORS=${TOR_DESCRIPTORS}.new
INOTIFY_TIMEOUT=60
DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
VERSION_FILE=/etc/amnesia/version
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
### Exit conditions
# Run only when the interface is not "lo":
......@@ -66,23 +64,6 @@ notify_user() {
exec /bin/su -c "notify-send ${timeout_args} \"${summary}\" \"${body}\"" "${LIVE_USERNAME}" &
}
# This function may be dangerous to use. See "Potential Tor bug" below.
# Only handles GETINFO keys with single-line answers
# FIXME: If we end up using this, let's give root access to Tor's control
# port instead of relying on sudo.
tor_control_getinfo() {
COOKIE=/var/run/tor/control.authcookie
HEXCOOKIE=$(xxd -c 32 -g 0 $COOKIE | cut -d' ' -f2)
/bin/echo -ne "AUTHENTICATE ${HEXCOOKIE}\r\nGETINFO ${1}\r\nQUIT\r\n" | \
sudo -u amnesia nc 127.0.0.1 9051 | grep -m 1 "^250-${1}=" | \
# Note: we have to remove trailing CL+RF to not confuse the shell
sed "s|^250-${1}=\(.*\)[[:space:]]\+$|\1|"
}
tor_is_working() {
[ -e $TOR_DESCRIPTORS ] || [ -e $NEW_TOR_DESCRIPTORS ]
}
has_consensus() {
local files="${TOR_CONSENSUS} ${TOR_UNVERIFIED_CONSENSUS}"
......@@ -204,37 +185,31 @@ tor_cert_valid_after() {
${TOR_LOG} | tail -n 1
}
# Potential Tor bug: it seems like using this version makes Tor get
# stuck at "Bootstrapped 5%" quite often. Is Tor sensitive to opening
# control ports and/or issuing "getinfo status/bootstrap-phase" during
# early bootstrap? Because of this we fallback to greping the log.
#tor_bootstrap_progress() {
# tor_control_getinfo status/bootstrap-phase | \
# sed 's/^.* BOOTSTRAP PROGRESS=\([[:digit:]]\+\) .*$/\1/'
#}
tor_bootstrap_progress() {
grep -o "\[notice\] Bootstrapped [[:digit:]]\+%:" ${TOR_LOG} | \
tail -n1 | sed "s|\[notice\] Bootstrapped \([[:digit:]]\+\)%:|\1|"
}
tor_cert_lifetime_invalid() {
# Since we only check for existence of such a line, we may
# find a match here when it's not relevant. A fix would be
# to clear the Tor log each time it starts in order to
# ensure that everything in the log are currently relevant.
grep -q "\[warn\] Certificate \(not yet valid\|already expired\)." \
# To be sure that we only grep relevant information, we
# should delete the log when Tor is started, which we do
# in 10-tor.sh.
# The log severity will be "warn" if bootstrapping with
# authorities and "info" with bridges.
grep -q "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." \
${TOR_LOG}
}
# This check is blocking until Tor reaches either of two states:
# 1. Tor completes a handshake with an authority.
# 2. Tor fails the handshake with all authorities.
# 1. Tor completes a handshake with an authority (or bridge).
# 2. Tor fails the handshake with all authorities (or bridges).
# Since 2 essentially is the negation of 1, one of them will happen,
# so it won't block forever. Hence we shouldn't need a timeout.
# FIXME: An exception would be if Tor has DisableNetwork=1, which we
# will use once we fully support bridge mode, so we will have to
# revisit this then.
is_clock_way_off() {
log "Checking if system clock is way off"
until [ "$(tor_bootstrap_progress)" -gt 10 ]; do
if tor_cert_lifetime_invalid; then
return 0
......@@ -274,6 +249,11 @@ fi
wait_for_working_tor
# Disable "info" logging workaround from 10-tor.sh
if grep -qw bridge /proc/cmdline; then
tor_control_setconf "Log=\"notice file ${TOR_LOG}\""
fi
touch $TORDATE_DONE_FILE
log "Restarting htpdate"
......
......@@ -21,4 +21,17 @@ export DISPLAY=':0.0'
export XAUTHORITY="`echo /var/run/gdm3/auth-for-${LIVE_USERNAME}-*/database`"
export XDG_DATA_DIRS=/usr/share/gnome:/usr/share/gdm/:/usr/local/share/:/usr/share/
export MONKEYSPHERE_VALIDATION_AGENT_SOCKET='http://127.0.0.1:6136'
# Get GTK_IM_MODULE, QT_IM_MODULE and XMODIFIERS
if [ -e "/home/${LIVE_USERNAME}/.im_environment" ] ; then
. "/home/${LIVE_USERNAME}/.im_environment"
if [ -n "${XMODIFIERS}" ] ; then
export XMODIFIERS
fi
if [ -n "${GTK_IM_MODULE}" ] ; then
export GTK_IM_MODULE
fi
if [ -n "${QT_IM_MODULE}" ] ; then
export QT_IM_MODULE
fi
fi
exec /bin/su -c iceweasel "${LIVE_USERNAME}" &
......@@ -41,6 +41,9 @@ domain ip {
# White-list access to Tor's ControlPort
daddr 127.0.0.1 proto tcp dport 9051 {
mod owner uid-owner amnesia ACCEPT;
# Needed by a workaround in tordate (NM's 20-time.sh hook)
# for temporarily changing Tor's logging severity.
mod owner uid-owner root ACCEPT;
}
# White-list access to Tor's TransPort
......
/* Required, do not remove */
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
/* Hide AdBlock-Plus button in the add-on bar */
#abp-toolbarbutton { display: none; }
/* Hide HTTPS Everywhere button in the toolbar */
#https-everywhere-button { display: none; }
......
browser.search.defaultenginename=Startpage HTTPS
browser.search.selectedEngine=Startpage HTTPS
browser.startup.homepage=https://check.torproject.org/?lang=ar
browser.startup.homepage=https://tails.boum.org/news/
browser.search.defaultenginename=Startpage HTTPS - Deutsch
browser.search.selectedEngine=Startpage HTTPS - Deutsch
browser.startup.homepage=https://check.torproject.org/?lang=de
browser.startup.homepage=https://tails.boum.org/news/index.de.html
browser.search.defaultenginename=Startpage HTTPS
browser.search.selectedEngine=Startpage HTTPS
browser.startup.homepage=https://check.torproject.org/
browser.startup.homepage=https://tails.boum.org/news/
browser.search.defaultenginename=Startpage HTTPS - Espanol
browser.search.selectedEngine=Startpage HTTPS - Espanol
browser.startup.homepage=https://check.torproject.org/?lang=es
browser.startup.homepage=https://tails.boum.org/news/index.es.html
browser.search.defaultenginename=Startpage HTTPS - Francais
browser.search.selectedEngine=Startpage HTTPS - Francais
browser.startup.homepage=https://check.torproject.org/?lang=fr
\ No newline at end of file
browser.startup.homepage=https://tails.boum.org/news/index.fr.html
browser.search.defaultenginename=Startpage HTTPS - Italiano
browser.search.selectedEngine=Startpage HTTPS - Italiano
browser.startup.homepage=https://check.torproject.org/?lang=it_IT
browser.startup.homepage=https://tails.boum.org/news/
browser.search.defaultenginename=Startpage HTTPS - Portugues
browser.search.selectedEngine=Startpage HTTPS - Portugues
browser.startup.homepage=https://check.torproject.org/?lang=pt_BR
browser.startup.homepage=https://tails.boum.org/news/index.pt.html
browser.search.defaultenginename=Startpage HTTPS - Portugues
browser.search.selectedEngine=Startpage HTTPS - Portugues
browser.startup.homepage=https://check.torproject.org/?lang=pt_PT
browser.startup.homepage=https://tails.boum.org/news/index.pt.html
browser.search.defaultenginename=Startpage HTTPS
browser.search.selectedEngine=Startpage HTTPS
browser.startup.homepage=https://check.torproject.org/?lang=zh_CN
browser.startup.homepage=https://tails.boum.org/news/
......@@ -13,7 +13,7 @@
# FIXME: this script should be translatable in a better way than the
# ugly case..esac thing. Note that using gettext at this point -i.e.
# after the CD has been ejected- is probably too brittle. A possible
# after the DVD has been ejected- is probably too brittle. A possible
# solution would be to turn this script into a .in file, with
# placeholders for translatable string. Translatable strings and their
# translations could be managed by ikiwiki+po, and the placeholders
......@@ -46,7 +46,7 @@ do_stop () {
# Note to translators: any text line must fit on a 80 characters wide screen
case "${LANG}" in
es_ES.UTF-8)
print_text " Puede ahora retirar el CD o el USB de arranque."
print_text " Puede ahora retirar el DVD o el USB de arranque."
print_empty_line
print_text " Se borrará dentro de pocos segundos la memoria RAM del sistema..."
print_empty_line
......@@ -56,7 +56,7 @@ do_stop () {
print_text " it may mean the memory wiping has failed."
;;
fr_FR.UTF-8)
print_text " Vous pouvez maintenant retirer le CD / clé USB de boot."
print_text " Vous pouvez maintenant retirer le DVD / clé USB de boot."
print_empty_line
print_text " La mémoire vive va être effacée dans quelques secondes..."
print_empty_line
......@@ -77,7 +77,7 @@ do_stop () {
;;
*)
print_text " You can now remove the boot CD or USB stick."
print_text " You can now remove the boot DVD or USB stick."
print_empty_line
print_text " The system memory is going to be wiped in a few seconds..."
print_empty_line
......
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-reconfigure-memlockd
# Required-Start: $local_fs memlockd
# Required-Start: $local_fs
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop:
# X-Start-Before: memlockd
# Short-Description: Reconfigure memlockd depending on running kernel
# Description: Reconfigure memlockd depending on running kernel
### END INIT INFO
......@@ -18,7 +19,6 @@ case "$1" in
>> "$MEMLOCKD_CONF"
tails-boot-to-kexec initrd $(tails-get-bootinfo initrd) \
>> "$MEMLOCKD_CONF"
service memlockd restart
# Tell sendsigs to forget about memlockd. Together with
# not calling 'memlockd stop' on shutdown, we have a
......
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-sdmem-on-media-removal
# Required-Start: udev $local_fs tails-reconfigure-memlockd tails-reconfigure-kexec
# Required-Start: udev $local_fs memlockd tails-reconfigure-memlockd tails-reconfigure-kexec
# Required-Stop: $local_fs memlockd
# Default-Start: 2 3 4 5
# Default-Stop: 0 6
......
[donate]
dont_bug=1
last_asked=1354364819
amnesia ALL = NOPASSWD: /sbin/halt
amnesia ALL = NOPASSWD: /sbin/reboot
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[Desktop Entry]
Name=tails-add-bookmark-for-persistent-directory
GenericName=add GTK bookmark to Persistent directory
Comment=display Persistent directory in Places and GtkFileChooser
Exec=/usr/local/bin/tails-add-bookmark-for-persistent-directory
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-add-bookmark-for-persistent-directory;
[Desktop Entry]
Name=tails-save-im-environment
GenericName=save Desktop IM environment
Comment=save Desktop IM environment so that autostarted iceweasel can use it
Exec=/usr/local/bin/tails-save-im-environment
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-save-im-environment;
......@@ -7,3 +7,7 @@ grep -qw "kiosk" /proc/cmdline || return 0
rm -f /usr/local/sbin/unsafe-browser
rm -f /usr/share/applications/unsafe-browser.desktop
rm -f /etc/sudoers.d/zzz_unsafe-browser
# Hide the persistence setup launchers
rm -f /usr/share/applications/tails-persistence-delete.desktop
rm -f /usr/share/applications/tails-persistence-setup.desktop
<oaf_info>
<oaf_server iid="OAFIID:ShutdownHelper_Factory" type="exe"
location="/usr/local/bin/shutdown_helper_applet">
<oaf_attribute name="repo_ids" type="stringv">
<item value="IDL:Bonobo/GenericFactory:1.0"/>
<item value="IDL:Bonobo/Unknown:1.0"/>
</oaf_attribute>
<oaf_attribute name="name" type="string" value="Shutdown Helper Factory"/>
<oaf_attribute name="description" type="string"
value="Shutdown Helper's factory that launches the applet"/>
</oaf_server>
<oaf_server iid="OAFIID:ShutdownHelper" type="factory"
location="OAFIID:ShutdownHelper_Factory">
<oaf_attribute name="repo_ids" type="stringv">
<item value="IDL:GNOME/Vertigo/PanelAppletShell:1.0"/>
<item value="IDL:Bonobo/Control:1.0"/>
<item value="IDL:Bonobo/Unknown:1.0"/>
</oaf_attribute>
<oaf_attribute name="name" type="string" value="Shutdown Helper"/>
<oaf_attribute name="description" type="string"
value="Lock screen, shutdown or reboot"/>
<oaf_attribute name="panel:category" type="string"
value="Utility"/>
<oaf_attribute name="panel:icon" type="string"
value="tails-system-shutdown.png"/>
</oaf_server>
</oaf_info>
#!/usr/bin/env python
import gtk
import gnomeapplet
import subprocess
from gettext import gettext as _
from gettext import bindtextdomain, textdomain
from os import sep
from locale import setlocale, LC_ALL
LOCALE_PREFIX = "%susr" % (sep)
LOCALE_DIR = "%s%sshare%slocale" % ( LOCALE_PREFIX, sep, sep )
PACKAGE = "shutdown_helper_applet"
setlocale(LC_ALL, "")
bindtextdomain(PACKAGE, LOCALE_DIR)
textdomain(PACKAGE)
def applet_factory(applet, iid):
image = gtk.Image()
image.set_from_file('/usr/share/icons/tails-system-shutdown.png')
applet.add(image)
applet.connect('button-press-event', show_action_menu)
applet.show_all()
return True
def show_action_menu(applet, event):
# Magic number denotes "left mouse button"
if event.button != 1:
return
menu = gtk.Menu()
menu_entries = [
# [_("Lock Screen"), 'gnome-lockscreen', lock_screen],
[_("Shutdown Immediately"), 'gnome-shutdown', shutdown],
[_("Reboot Immediately"), 'gtk-refresh', reboot]
]
for [label, icon_name, action] in menu_entries:
item = gtk.ImageMenuItem(label, True)
icon = gtk.Image()
icon.set_from_icon_name(icon_name, gtk.ICON_SIZE_MENU)
item.set_image(icon)
item.connect("activate", action)
item.show()
menu.add(item)
menu.popup(None, None, None, event.button, event.time)
def lock_screen(widget):
subprocess.call(["gnome-screensaver-command", "--lock"])
def shutdown(widget):
subprocess.call(["sudo", "-n", "halt"])
def reboot(widget):
subprocess.call(["sudo", "-n", "reboot"])
import sys
# run it in a gtk window
if len(sys.argv) > 1 and sys.argv[1] == "test":
main_window = gtk.Window(gtk.WINDOW_TOPLEVEL)
main_window.set_title("Shutdown Helper")
main_window.connect("destroy", gtk.mainquit)
app = gnomeapplet.Applet()
applet_factory(app, None)
app.reparent(main_window)
main_window.show_all()
gtk.main()
sys.exit()
if __name__ == '__main__':
gnomeapplet.bonobo_factory('OAFIID:ShutdownHelper_Factory',
gnomeapplet.Applet.__gtype__,
_("Shutdown Helper"), '0.1',
applet_factory)
#!/bin/sh
PERSISTENT_DIRECTORY="${HOME}/Persistent"
if mountpoint -q "$PERSISTENT_DIRECTORY" 2>/dev/null ; then
echo "file://$PERSISTENT_DIRECTORY" >> "${HOME}/.gtk-bookmarks"
fi
#!/bin/sh
env | grep -E '^(XMODIFIERS|GTK_IM_MODULE|QT_IM_MODULE)=' \
> "${HOME}/.im_environment"
#!/bin/sh
TOR_RC=/etc/tor/torrc
TOR_LOG=/var/log/tor/log
TOR_DIR=/var/lib/tor
TOR_DESCRIPTORS=${TOR_DIR}/cached-microdescs
NEW_TOR_DESCRIPTORS=${TOR_DESCRIPTORS}.new
get_tor_control_port() {
sed -n 's/^ControlPort[[:space:]]\+\([[:digit:]]\+\)/\1/p' "${TOR_RC}"
}
tor_control_send() {
COOKIE=/var/run/tor/control.authcookie
HEXCOOKIE=$(xxd -c 32 -g 0 $COOKIE | cut -d' ' -f2)
/bin/echo -ne "AUTHENTICATE ${HEXCOOKIE}\r\n${1}\r\nQUIT\r\n" | \
nc 127.0.0.1 $(get_tor_control_port)
}
# This function may be dangerous to use. See "Potential Tor bug" below.
# Only handles GETINFO keys with single-line answers
tor_control_getinfo() {
tor_control_send "GETINFO ${1}" | grep -m 1 "^250-${1}=" | \
# Note: we have to remove trailing CL+RF to not confuse the shell
sed "s|^250-${1}=\(.*\)[[:space:]]\+$|\1|"
}
tor_control_setconf() {
tor_control_send "SETCONF ${1}" >/dev/null
}
# Potential Tor bug: it seems like using this version makes Tor get
# stuck at "Bootstrapped 5%" quite often. Is Tor sensitive to opening
# control ports and/or issuing "getinfo status/bootstrap-phase" during
# early bootstrap? Because of this we fallback to greping the log.
#tor_bootstrap_progress() {
# tor_control_getinfo status/bootstrap-phase | \
# sed 's/^.* BOOTSTRAP PROGRESS=\([[:digit:]]\+\) .*$/\1/'
#}
tor_is_working() {
[ -e $TOR_DESCRIPTORS ] || [ -e $NEW_TOR_DESCRIPTORS ]
}