Commit df1f92f0 authored by Tails developers's avatar Tails developers

Don't allow the desktop user to pass arguments to tails-upgrade-frontend (Closes: #7410)

... and accordingly update the design document and manual test suite steps.

The tails-upgrade-frontend program is run as the tails-upgrade-frontend user,
that is basically equivalent to root. Some of the available
tails-upgrade-frontend options might be dangerous. I've looked at it quickly and
didn't find anything scary, but still, it's simply not worth taking the risk of
privilege escalation, persistent root kit implementation, and so on.

Strictly speaking, this change does not really belong to
bugfix/7345-upgrade-from-iso-from-1.0-to-1.1, and could have been implemented
separately. However, this branch introduces running as root a syslinux binary
taken from the installed IUK, so it raised the flag that made me want to lock
this down a bit more.
parent 42137775
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY SSL_NO_VERIFY"
......
......@@ -69,5 +69,9 @@ sleep 30
check_free_memory "$MIN_MEMFREE" "$MIN_TOTAL_MEMFREE"
xhost +SI:localuser:"$RUN_AS_USER"
gksudo -u "$RUN_AS_USER" "/usr/bin/tails-upgrade-frontend $@"
if [ $# -gt 0 ] ; then
gksudo -u "$RUN_AS_USER" "/usr/bin/tails-upgrade-frontend $@"
else
gksudo -u "$RUN_AS_USER" /usr/bin/tails-upgrade-frontend
fi
xhost -SI:localuser:"$RUN_AS_USER"
......@@ -685,8 +685,9 @@ fix this.
## Privilege separation
The default Live user (`amnesia`) runs the upgrade frontend as the
dedicated `tails-upgrade-frontend` user, who:
The default Live user (`amnesia`) is allowed to run the upgrade
frontend, without arguments, as the dedicated `tails-upgrade-frontend`
user, who itself:
* is allowed to run the `tails-shutdown-network` and `/sbin/reboot`
programs, using passwordless sudo, as any user;
......
......@@ -470,6 +470,13 @@ correctly.
echo "192.168.1.4 dl.amnesia.boum.org" | sudo tee --append /etc/hosts
* Patch sudo configuration to allow passing arbitrary arguments to
`tails-upgrade-frontend`:
sudo sed -i \
-e 's,/usr/bin/tails-upgrade-frontend ""$,/usr/bin/tails-upgrade-frontend,' \
/etc/sudoers.d/zzz_upgrade
* Call the upgrader must be called, from inside the system to upgrade,
with every needed option to use the local web server rather than the
online one, for example:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment