Run tails-update-frontend as a dedicated user, and don't allow the amnesia...

Run tails-update-frontend as a dedicated user, and don't allow the amnesia user to install any arbitrary IUK.

Run tails-update-frontend as a dedicated user, and don't allow the amnesia...
Run tails-update-frontend as a dedicated user, and don't allow the amnesia user to install any arbitrary IUK.
acef7e8d · Tails developers · 8fa63bd5 · acef7e8d · acef7e8d · acef7e8d
Commit acef7e8d authored Nov 26, 2013 by Tails developers
3 changed files
--- a/config/chroot_local-hooks/06-adduser_tails-update-frontend
+++ b/config/chroot_local-hooks/06-adduser_tails-update-frontend
+#!/bin/sh
+
+set -e
+
+# Create the tails-update-frontend user.
+#
+# The tails-update-frontend program may be run as this user.
+# This avoids having to grant the desktop user the right to install
+# any arbitrary IUK.
+
+echo "creating the tails-update-frontend user"
+
+adduser --system --quiet --group --no-create-home tails-update-frontend
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_update
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_update
 Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar
 Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
+Cmnd_Alias UPDATE_FRONTEND = /usr/bin/tails-update-frontend

 Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
+Defaults!UPDATE_FRONTEND env_keep+="DISABLE_PROXY SSL_NO_VERIFY"

-amnesia           ALL =                             NOPASSWD: /usr/bin/tails-shutdown-network
-amnesia           ALL = (tails-install-iuk)         NOPASSWD: /usr/bin/tails-install-iuk
-amnesia           ALL = (tails-iuk-get-target-file) NOPASSWD: IUK_GET_TARGET_FILE
-amnesia           ALL = (tails-iuk-get-target-file) NOPASSWD: /usr/bin/tails-iuk-mktemp-get-target-file
+amnesia               ALL = (tails-update-frontend)     NOPASSWD: UPDATE_FRONTEND
+tails-update-frontend ALL =                             NOPASSWD: /usr/bin/tails-shutdown-network
+tails-update-frontend ALL = (tails-install-iuk)         NOPASSWD: /usr/bin/tails-install-iuk
+tails-update-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: IUK_GET_TARGET_FILE
+tails-update-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: /usr/bin/tails-iuk-mktemp-get-target-file
+tails-update-frontend ALL =                             NOPASSWD: /sbin/reboot

 tails-install-iuk ALL =                             NOPASSWD: INSTALL_IUK
--- a/config/chroot_local-includes/usr/local/bin/tails-update-frontend-wrapper
+++ b/config/chroot_local-includes/usr/local/bin/tails-update-frontend-wrapper
@@ -11,6 +11,7 @@ TORDATE_DONE_FILE="${TORDATE_DIR}/done"
 INOTIFY_TIMEOUT=60
 MIN_MEMFREE=$((200 * 1024))
 MIN_TOTAL_MEMFREE=$((500 * 1024))
+RUN_AS_USER=tails-update-frontend

 ### Functions

@@ -65,4 +66,6 @@ done

 check_free_memory "$MIN_MEMFREE" "$MIN_TOTAL_MEMFREE"

-exec /usr/bin/tails-update-frontend "$@"
+xhost +SI:localuser:"$RUN_AS_USER"
+gksudo -u "$RUN_AS_USER" "/usr/bin/tails-update-frontend $@"
+xhost -SI:localuser:"$RUN_AS_USER"