Commit af0beb7d authored by T(A)ILS developers's avatar T(A)ILS developers
Browse files

Merge branch 'master' of ssh://livecd/~/wiki

parents 80e5ba42 19e9817e
This diff is collapsed.
Package: aircrack-ng
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: xresprobe
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
Pin-Priority: 1001
Package: *
Pin: release o=Debian,a=testing
Pin: release o=Debian,n=squeeze
Pin-Priority: 900
Package: *
......
......@@ -19,4 +19,4 @@ for sql_src_file in ${SQL_SRC_DIR}/*.sql ; do
done
rm -rf ${SQL_SRC_DIR}
aptitude --assume-yes purge $INSTALLED_PACKAGES
apt-get --yes purge $INSTALLED_PACKAGES
......@@ -3,20 +3,35 @@
# Install modules managed by module-assistant
echo "installing modules managed by module-assistant"
MODULES=""
MA="module-assistant --text-mode --non-inter"
apt-get install --yes build-essential module-assistant debhelper
$MA update
ma_install_tools ()
{
apt-get install --yes build-essential module-assistant debhelper
$MA update
}
for MODULE in $MODULES ; do
for KERNEL in /boot/vmlinuz-* ; do
VERSION="$(basename ${KERNEL} | sed -e 's|vmlinuz-||')"
$MA --quiet auto-install ${MODULE} -l ${VERSION}
ma_install_modules ()
{
for MODULE in $@ ; do
for KERNEL in /boot/vmlinuz-* ; do
VERSION="$(basename ${KERNEL} | sed -e 's|vmlinuz-||')"
$MA --quiet auto-install ${MODULE} -l ${VERSION}
done
$MA clean ${MODULE}
apt-get --yes purge ${MODULE}
done
$MA clean ${MODULE}
aptitude --assume-yes purge ${MODULE}
done
}
ma_cleanup ()
{
rm -f /usr/src/*.deb
}
if [ -n "${MODULES}" ] ; then
ma_install_tools
ma_install_modules
ma_cleanup
fi
rm -f /usr/src/*.deb
......@@ -12,4 +12,4 @@ DST="/usr/local/sbin/udev-watchdog"
gcc -o "$DST" "$SRC" -static -Wall -ludev
strip --strip-all "$DST"
aptitude --assume-yes purge libudev-dev
apt-get --yes purge libudev-dev
......@@ -2,26 +2,9 @@
echo "managing initscripts"
. /usr/share/amnesia/build/variables
disable_service () {
local INITSCRIPT="$1"
case "${LB_DISTRIBUTION}" in
squeeze|sid)
update-rc.d ${INITSCRIPT} disable
;;
*)
for startlink in /etc/rc[S2-5].d/S[0-9][0-9]${INITSCRIPT} ; do
stoplink=`echo "${startlink}" | sed -e 's,^\(/etc/rc[S2-5].d/\)S,\1K,'`
mv "${startlink}" "${stoplink}"
done
;;
esac
}
# enable custom initscripts
update-rc.d tails-detect-virtualization defaults
update-rc.d tails-wifi defaults
# we run Tor ourselves after HTP via NetworkManager hooks
disable_service tor
update-rc.d tor disable
#!/bin/sh
echo "Removing development packages"
# use apt-get as aptitude doesn't know about globs
apt-get --purge remove --yes \
'linux-kbuild-*' \
'linux-headers-*' \
# use aptitude to remove the dependencies, as Lenny's APT lacks the
# autoremove action
aptitude --assume-yes purge \
build-essential debhelper dkms dpatch dpkg-dev \
cpp-4.1 \
gcc gcc-4.1 gcc-4.1-base gcc-4.2-base gcc-4.3 \
g++ g++-4.3 \
libc6-dev libstdc++6-4.3-dev linux-libc-dev \
make \
module-assistant \
virtualbox-ose-guest-dkms
#!/bin/sh
echo "Removing unwanted packages"
### Deinstall dev packages.
# We use apt-get as aptitude doesn't know about globs.
# There are packages we could be tempted to remove but we can't:
# - gcc-4.4-base (libstdc++6 depends on it)
# - libgcc1 (vidalia depends on it)
# - cpp, cpp-4.4 (big parts of GNOME depend on it)
apt-get --yes purge \
'^linux-kbuild-*' \
'^linux-headers-*' \
build-essential debhelper dkms dpatch dpkg-dev \
cpp-4.3 \
gcc gcc-4.3 gcc-4.3-base gcc-4.4 \
g++ '^g\+\+-*' \
intltool-debian \
libc6-dev libgl1-mesa-dev libstdc++6-4.4-dev linux-libc-dev \
make \
module-assistant \
po-debconf \
virtualbox-ose-guest-dkms
### Deinstall some other unwanted packages.
apt-get --yes purge \
tasksel tasksel-data
### Deinstall dependencies of the just removed packages.
apt-get --yes --purge autoremove
### Deinstall gnome-core and some of its new dependencies.
# We do this last as we don't want apt-get autoremove to deinstall all
# gnome-core dependencies.
# - gnome-core itself
apt-get --yes purge gnome-core
# - evolution and its dependencies
apt-get --yes purge \
evolution evolution-common libevolution \
libgtkhtml-editor-common libgtkhtml-editor0 libgtkhtml3.14-19
# - gvfs-backends and its dependencies
apt-get --yes purge \
gvfs-backends libcdio-cdda0 libcdio-paranoia0 libsmbclient libwbclient0 \
libtalloc2
# - others
apt-get --yes purge \
gnome-screensaver gnome-keyring gnome-user-guide
......@@ -26,29 +26,12 @@
# as the htp user all operations but the actual setting of time, which
# has to be done as root.
# Run only when the interface is not "lo":
if [[ $1 = "lo" ]]; then
exit 0
fi
# Run whenever an interface gets "up", not otherwise:
if [[ $2 != "up" ]]; then
exit 0
fi
### Init variables
LOG=/var/log/nm-htp.log
HTPDATE_LOG=/var/log/htpdate.log
LOG=/var/log/htpdate.log
DONE_FILE=/var/lib/live/htp-done
if [ -e "${DONE_FILE}" ]; then
exit 0
fi
# Get LIVE_USERNAME
. /etc/live/config.d/username
export DISPLAY=':0.0'
exec /bin/su -c /usr/local/bin/tails-htp-notify-user "${LIVE_USERNAME}" &
SUCCESS_FILE=/var/lib/live/htp-success
declare -a HTP_POOL
HTP_POOL=(
......@@ -67,10 +50,69 @@ else
NAME_SERVERS="208.67.222.222 208.67.220.220"
fi
echo "Will use these nameservers: ${NAME_SERVERS}" >>$LOG
### Exit conditions
# Run only when the interface is not "lo":
if [[ $1 = "lo" ]]; then
exit 0
fi
# Run whenever an interface gets "up", not otherwise:
if [[ $2 != "up" ]]; then
exit 0
fi
# Do not run if we already successed:
if [ -e "${SUCCESS_FILE}" ]; then
exit 0
fi
### Delete previous state file
rm -f "${DONE_FILE}"
### Create log file
# The htp user needs to write to this file.
# The $LIVE_USERNAME user needs to read this file.
touch "${LOG}"
chown htp:nogroup "${LOG}"
chmod 644 "${LOG}"
### Run tails-htp-notify-user (the sooner, the better)
# Get LIVE_USERNAME
. /etc/live/config.d/username
export DISPLAY=':0.0'
exec /bin/su -c /usr/local/bin/tails-htp-notify-user "${LIVE_USERNAME}" &
### Functions
log () {
echo "$@" >> "${LOG}"
}
quit () {
exit_code="$1"
shift
message="$@"
cleanup_etc_hosts
echo "$exit_code" >> "${DONE_FILE}"
if [ $exit_code -eq 0 ]; then
touch "${SUCCESS_FILE}"
fi
log "${message}"
exit $exit_code
}
cleanup_etc_hosts() {
echo "Cleaning /etc/hosts" >>$LOG
log "Cleaning /etc/hosts"
local tempfile
tempfile=`mktemp -t nm-htp.XXXXXXXX`
where=outside
......@@ -91,6 +133,13 @@ cleanup_etc_hosts() {
mv "$tempfile" /etc/hosts
}
### Main
# Beware: this string is used and parsed in tails-htp-notify-user
log "HTP NetworkManager hook: here we go"
log "Will use these nameservers: ${NAME_SERVERS}"
echo "${BEGIN_MAGIC}" >> /etc/hosts
for HTP_HOST in ${HTP_POOL[*]} ; do
......@@ -103,10 +152,8 @@ for HTP_HOST in ${HTP_POOL[*]} ; do
head -n 1 | \
cut -d ' ' -f 4)
if [[ -z ${IP} ]]; then
echo "Failed to resolve ${HTP_HOST}" >>$LOG
echo "${END_MAGIC}" >> /etc/hosts
cleanup_etc_hosts
exit 17
quit 17 "Failed to resolve ${HTP_HOST}"
else
echo "${IP} ${HTP_HOST}" >> /etc/hosts
fi
......@@ -114,25 +161,14 @@ done
echo "${END_MAGIC}" >> /etc/hosts
touch "${HTPDATE_LOG}"
chown htp:nogroup "${HTPDATE_LOG}"
chmod 644 "${HTPDATE_LOG}"
/usr/local/sbin/htpdate \
-d \
-l "${HTPDATE_LOG}" \
-l "${LOG}" \
-a "`/usr/local/bin/getTorbuttonUserAgent`" \
-f \
-p \
-u htp \
${HTP_POOL[*]}
HTPDATE_RET=$?
echo "htpdate exited with return code ${HTPDATE_RET}" >>$LOG
cleanup_etc_hosts
echo "${HTPDATE_RET}" > "${DONE_FILE}"
touch "${DONE_FILE}"
exit ${HTPDATE_RET}
quit ${HTPDATE_RET} "htpdate exited with return code ${HTPDATE_RET}"
http_proxy=http://localhost:8118
HTTP_PROXY=http://localhost:8118
SOCKS_SERVER=localhost:9050
SOCKS5_SERVER=localhost:9050
http_proxy=http://127.0.0.1:8118
HTTP_PROXY=http://127.0.0.1:8118
SOCKS_SERVER=127.0.0.1:9050
SOCKS5_SERVER=127.0.0.1:9050
......@@ -12,25 +12,35 @@
# Established outgoing connections are accepted.
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Local network connections should not go through Tor. Note that we
# exclude the VirtualAddrNetwork used for .onion:s here.
[0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j ACCEPT
[0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j ACCEPT
[0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j ACCEPT
# Note: this must run before traffic is dispatched to the lan rule.
# The htp user is allowed to connect to services listening on the https port...
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport https -j ACCEPT
# ... and to services listening on the domain port.
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport domain -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner htp -p UDP --dport domain -j ACCEPT
# Internal network connections are accepted.
[0:0] -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected - apart for the htp user.
[0:0] -N lan
[0:0] -A lan -p TCP --dport domain -j REJECT
[0:0] -A lan -p UDP --dport domain -j REJECT
[0:0] -A lan -j ACCEPT
# Sort out traffic to local network
# Note that we exclude the VirtualAddrNetwork used for .onion:s here.
[0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
[0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
[0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan
# Tor is allowed to do anything it wants to.
[0:0] -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
# i2p is allowed to do anything it wants to.
[0:0] -A OUTPUT -m owner --uid-owner i2p-daemon -j ACCEPT
# The htp user is allowed to connect to services listening on the https port...
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport https -j ACCEPT
# ... and to services listening on the domain port.
[0:0] -A OUTPUT -m owner --uid-owner htp -p TCP --dport domain -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner htp -p UDP --dport domain -j ACCEPT
# Everything else is dropped.
[0:0] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
......
......@@ -19,51 +19,77 @@ pref("browser.shell.checkDefaultBrowser", false);
pref("app.update.auto", false);
pref("app.update.disable_button.showUpdateHistory", false);
pref("app.update.enabled", false);
pref("browser.bookmarks.livemark_refresh_seconds", 31536000);
pref("browser.cache.disk.capacity", 0);
pref("browser.cache.disk.enable", false);
pref("browser.download.manager.closeWhenDone", true);
pref("browser.download.manager.retention", 0);
pref("browser.formfill.enable", false);
pref("browser.history_expire_days", 0);
pref("browser.history_expire_days.mirror", 0);
pref("browser.microsummary.updateGenerators", false);
pref("browser.privatebrowsing.autostart", true);
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("browser.safebrowsing.remoteLookups", false);
pref("browser.search.suggest.enabled", false);
pref("browser.search.update", false);
pref("browser.send_pings", false);
pref("browser.sessionstore.enabled", false);
pref("browser.sessionstore.privacy_level", 2);
pref("browser.startup.homepage_override.mstone", "ignore");
pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
pref("capability.policy.maonoscript.sites", "https://auk.riseup.net https://mail.riseup.net https://swift.riseup.net https://tern.riseup.net https://webmail.no-log.org about: about:blank about:certerror about:config about:credits about:neterror about:plugins about:privatebrowsing about:sessionrestore chrome: file:// https://webmail.boum.org resource:");
pref("dom.event.contextmenu.enabled", false);
pref("dom.storage.enabled", false);
pref("extensions.foxyproxy.last-version", "2.19.1");
pref("extensions.update.enabled", false);
pref("extensions.update.notifyUser", false);
pref("layout.css.report_errors", false);
pref("network.cookie.lifetimePolicy", 2);
pref("network.cookie.prefsMigrated", true);
pref("network.protocol-handler.external-default", false);
pref("network.protocol-handler.external.mailto", false);
pref("network.protocol-handler.external.news", false);
pref("network.protocol-handler.external.nntp", false);
pref("network.protocol-handler.external.snews", false)
pref("network.protocol-handler.warn-external.file", true);
pref("network.protocol-handler.warn-external.mailto", true);
pref("network.protocol-handler.warn-external.news", true);
pref("network.protocol-handler.warn-external.nntp", true);
pref("network.protocol-handler.warn-external.snews", true);
pref("network.proxy.http", "localhost");
pref("network.proxy.failover_timeout", 0);
pref("network.proxy.http", "127.0.0.1");
pref("network.proxy.http_port", 8118);
pref("network.proxy.socks", "127.0.0.1");
pref("network.proxy.socks_port", 9050);
pref("network.proxy.socks_remote_dns", true);
pref("network.proxy.ssl", "localhost");
pref("network.proxy.ssl", "127.0.0.1");
pref("network.proxy.ssl_port", 8118);
pref("network.proxy.type", 1);
pref("network.security.ports.banned", "8118,8123,9050,9051");
pref("layout.spellcheckDefault", 0);
pref("network.dns.disableIPv6", true);
pref("noscript.httpsForced", "boum.org\nmail.google.com\nmail.riseup.net\nwebmail.no-log.org\nwebmail.boum.org");
pref("noscript.ABE.enabled", false);
pref("noscript.ABE.notify", false);
pref("noscript.httpsForced", "*twitter.com *facebook.com blog.torproject.org www.torproject.org docs.google.com addons.mozilla.org www.stumbleupon.com boum.org amnesia.boum.org mail.google.com mail.riseup.net webmail.no-log.org webmail.boum.org");
pref("noscript.httpsForcedExceptions", "");
pref("noscript.notify.hide", true);
pref("noscript.policynames", "");
pref("noscript.secureCookies", true);
pref("noscript.secureCookiesForced", "*torproject.org *github.com *facebook.com *twitter.com boum.org amnesia.boum.org mail.google.com mail.riseup.net webmail.no-log.org webmail.boum.org");
pref("noscript.showAddress", true);
pref("noscript.showAllowPage", false);
pref("noscript.showDistrust", true);
pref("noscript.showDistrust", false);
pref("noscript.showDomain", true);
pref("noscript.showGlobal", false);
pref("noscript.showPermanent", false);
pref("noscript.showRecentlyBlocked", false);
pref("noscript.showRevokeTemp", false);
pref("noscript.showTemp", false);
pref("noscript.showTempAllowPage", false);
pref("noscript.showTempToPerm", false);
pref("noscript.showUntrusted", true);
pref("noscript.showUntrusted", false);
pref("noscript.untrusted", "google-analytics.com google.com file:// http://google-analytics.com http://google.com https://google-analytics.com https://google.com");
pref("pref.privacy.disable_button.cookie_exceptions", false);
pref("pref.privacy.disable_button.view_cookies", false);
......@@ -79,7 +105,10 @@ pref("security.enable_java", false);
pref("security.enable_ssl2", false);
pref("security.enable_ssl3", true);
pref("security.enable_tls", true);
pref("security.xpconnect.plugin.unrestricted", false);
pref("security.warn_leaving_secure", true);
pref("security.warn_submit_insecure", true);
pref("signon.prefillForms", false);
pref("signon.rememberSignons", false);
pref("xpinstall.whitelist.add", "");
pref("xpinstall.whitelist.add.103", "");
......@@ -17,5 +17,11 @@
<DT><A HREF="https://mail.riseup.net/">riseup.net</A>
<DT><A HREF="https://webmail.boum.org/">boum.org</A>
</DL><p>
<DT><h3>Tor</h3>
<DL><p>
<DT><A HREF="https://check.torproject.org/?small=1">Tor check</A>
<DT><A HREF="https://www.torproject.org/">Tor</A>
</DL><p>
</DL><p>
</DL><p>
0.9.2:
* Fix a bug in our redirection loop detection that was causing touble with
some parts of NYTimes, Facebook, and other sites
0.9.1:
* Unbreak the "all x news articles" links in Google News
* Exclude nytimes.com/roomfordebate, since it's broken in https.
0.9.0:
* This is our "Firesheep" release. It has numerous anti-firesheep
improvements!
* Split the stricter parts of the Facebook rule into a "Facebook+" rule.
It's what's required to protect Facebook from Firesheep and similar cookie
theft attacks, but it may break apps, because apps.facebook.com currently
has the wrong cert.
* Allow rulesets to specify that the secure flag should be set on some
cookies even if the site operator failed to do so
* Ship rules for:
- Amazon S3 (AWS)
- Github
- Bit.ly
- Dropbox
- Evernote
- Cisco
* Extensive improvements (including secure cookies) in the Twitter and
Facebook rules
* Support for full Live / Hotmail encryption
* Significant performance optimisation decreases CPU load
Fixes:
https://trac.torproject.org/projects/tor/ticket/1656
https://trac.torproject.org/projects/tor/ticket/2194
* Rearrange our Channel Replacement code!
Fixes https://trac.torproject.org/projects/tor/ticket/1684
https://bugzilla.mozilla.org/show_bug.cgi?id=548102
Thanks to Giorgio Maone and Boris Zbarsky!
* Add scrollbars if there are a lot of rules present in the Preferences
dialog (may still be somewhat buggy...)
* Optimise GoogleServices.xml and support Google code search
* Patch for future compatiability with Request Policy:
https://trac.torproject.org/projects/tor/ticket/1574
* Support for the Firefox 4 API
* The Amazon rule was causing a lot of glitches; it is now off by default
* Control log verbosity with an about:config variable
* Numerous minor rule improvements
0.2.2:
* Fix a glitch in the Content Policy path that may or may not have been
responsible for these bugs:
https://trac.torproject.org/projects/tor/ticket/1700
https://trac.torproject.org/projects/tor/ticket/1672
https://trac.torproject.org/projects/tor/ticket/1673
The patch breaks toolbar search suggestions. And who knows what else?
* Don't send some country homepages to https://www.google.com/webhp?hl= ;
use https://encrypted.google.com instead
* Cleanup and refactor the URI replacement and rewriting code. Should
hopefully fix https://trac.torproject.org/projects/tor/ticket/1649
* Add a Google APIs rule
* Remove some Extremely Nasty code that would delete malformed rulesets (!)
(it was pasted from Torbutton's cookie handling logic...)
* Add code.google.com to Google Services
* The client=firefox* workaround is no longer necessary once we're sending
non-US users to encrypted.google.com rather than www.google.com
* Better coverage for GMX, Google services, Twitter
* Scroogle homepage in HTTPS
* Add rules for
- Mail.com logins
- Microsoft (limited coverage)
* Fix a nasty Google/Wikipedia bug within 0.2.2.development.{1,2}
0.2.1:
* Although google said https://www.google.com would continue to work, that
wasn't absolutely true.
* The new encyrpted.google.com seems to require queries to be #q=thing
rather than search?q=thing, at least some of the time. So let's do that.
0.2.0:
* Work around the fact that Google does not allow client=firefox* HTTPS
searches from outside the US, by rewriting those URIs
* Add rules for:
- Amazon
- GMX