Commit bb68eb07 authored by intrigeri's avatar intrigeri
Browse files

tails-debugging-info: move warning to the top, before using any of the functions it's about.

parent 9c3f11c9
#!/bin/sh
# *** WARNING about debug_file and debug_directory *********************
#
# Great attention must be given to the ownership situation of these
# files and their parent directories in order to avoid a symlink-based
# attack that could read the contents of any file and make it
# accessible to the user running this script (typicall the live
# user). Therefore, when adding a new file, give as the first argument
# 'root' only if the complete path to it (including the file itself)
# is owned by root and already exists before the system is connected to
# the network (that is, before GDM's PostLogin script is run).
# If not, the following rules must be followed strictly:
#
# * only one non-root user is involved in the ownership situation (the
# file, its dir and the parent dirs). From now on let's assume it is
# the case and call it $USER.
#
# * if any non-root group has write access, it must not have any
# members.
#
# If any of these rules does not apply, the file cannot be added here
# safely and something is probably quite wrong and should be
# investigated carefully.
debug_command() {
echo
echo "===== output of command $@ ====="
......@@ -43,26 +66,6 @@ debug_file root "/proc/asound/devices"
debug_file root "/proc/asound/modules"
debug_command /bin/journalctl --catalog --no-pager
# Great attention must be given to the ownership situation of these
# files and their parent directories in order to avoid a symlink-based
# attack that could read the contents of any file and make it
# accessible to the user running this script (typicall the live
# user). Therefore, when adding a new file, give as the first argument
# 'root' only if the complete path to it (including the file itself)
# is owned by root and already exists before the system is connected to
# the network (that is, before GDM's PostLogin script is run).
# If not, the following rules must be followed strictly:
#
# * only one non-root user is involved in the ownership situation (the
# file, its dir and the parent dirs). From now on let's assume it is
# the case and call it $USER.
#
# * if any non-root group has write access, it must not have any
# members.
#
# If any of these rules does not apply, the file cannot be added here
# safely and something is probably quite wrong and should be
# investigated carefully.
debug_file root "/etc/X11/xorg.conf"
debug_file Debian-gdm "/var/log/gdm3/tails-greeter.errors"
debug_file root "/var/log/live/boot.log"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment