tails issueshttps://gitlab.tails.boum.org/tails/tails/-/issues2020-05-15T14:06:14Zhttps://gitlab.tails.boum.org/tails/tails/-/issues/15603Ensure that mumble and mumble-server will be in Buster2020-05-15T14:06:14ZsegfaultEnsure that mumble and mumble-server will be in Buster_Originally created by @segfault on [#15603 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15603)_
The mumble and mumble-server packages were [removed from Debian
Testing](https://tracker.debian.org/news/955532/mum..._Originally created by @segfault on [#15603 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15603)_
The mumble and mumble-server packages were [removed from Debian
Testing](https://tracker.debian.org/news/955532/mumble-removed-from-testing/)
last week. The reason seems to be this unsolved
[bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893604).
Mumble is one of the core features of Tails Server, so I think it would
be really bad if we wouldn’t have it in Buster. I hope this will be
fixed by the Debian maintainer or Mumble, but in the worst case I will
try to fix this in time for the Buster freeze (which doesn’t have a date
yet).Tails_3.9.1https://gitlab.tails.boum.org/tails/tails/-/issues/5688Tails Server: Self-hosted services behind Tails-powered onion services2021-09-07T11:19:29Zimport-from-RedmineTails Server: Self-hosted services behind Tails-powered onion services_Originally created by Tails on [#5688 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/5688)_
team: segfault, anonym
Development repositories:
<https://gitlab.com/segfault3/onionkit>
<https://gitlab.com/segfaul..._Originally created by Tails on [#5688 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/5688)_
team: segfault, anonym
Development repositories:
<https://gitlab.com/segfault3/onionkit>
<https://gitlab.com/segfault3/onionservices>
<https://gitlab.com/segfault3/onionclient>
Blueprint: https://tails.boum.org/blueprint/tails_server
Feature Branch: feature/5688-tails-server
### Subtasks
- [x] tails/tails#11313
- [x] tails/tails#11314
- [ ] tails/tails#11551
- [ ] tails/tails#12230
- [ ] tails/tails#12231
- [ ] tails/tails#12253
- [ ] tails/tails#12255
- [ ] tails/tails#12297
- [ ] tails/tails#14456
- [ ] tails/tails#15034
- [ ] tails/tails#15299
- [ ] tails/tails#15300
- [ ] tails/tails#15301
- [ ] tails/tails#15343
- [ ] tails/tails#15348
- [ ] tails/tails#15899
### Related issues
- **Related to** tails/tails#7879
- **Related to** tails/tails#12236
- **Related to** tails/tails#15035
- **Related to** tails/tails#15181
- **Related to** tails/tails#6333
- **Related to** tails/tails#11241segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12024Consider using unix sockets for onion services in Tails Server2021-09-07T11:19:29ZsegfaultConsider using unix sockets for onion services in Tails Server_Originally created by @segfault on [#12024 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12024)_
Instead of listening on 127.0.0.1 via TCP, Tor supports listening on a
unix socket. This has the potential to be fa..._Originally created by @segfault on [#12024 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12024)_
Instead of listening on 127.0.0.1 via TCP, Tor supports listening on a
unix socket. This has the potential to be faster \[1\], prevents
potential localhost bypasses \[2\], and allows the use of systemd’s
privatenetwork isolation feature \[2,3\] (although the latter would not
work with LAN connections).
\[1\] <https://trac.torproject.org/projects/tor/ticket/11485>
\[2\]
<https://riseup.net/en/security/network-security/tor/onionservices-best-practices>
\[3\]
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateNetwork=>
Not all services support listening on unix sockets though.segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12231Write Tails Server Design Documentation2021-09-07T11:15:21ZsegfaultWrite Tails Server Design Documentation_Originally created by @segfault on [#12231 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12231)_
Blueprint: https://tails.boum.org/blueprint/tails_server/
Parent Task: tails/tails#5688
### Related..._Originally created by @segfault on [#12231 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12231)_
Blueprint: https://tails.boum.org/blueprint/tails_server/
Parent Task: tails/tails#5688
### Related issues
- **Related to** tails/tails#12007
- **Related to** tails/tails#9232
- **Related to** tails/tails#14456segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12237Reduce apt update time during first start of Tails Server2020-05-15T15:51:22ZsegfaultReduce apt update time during first start of Tails Server_Originally created by @segfault on [#12237 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12237)_
Currently this takes between 2 and 10 minutes, depending on the Tor
circuit.
Parent Task: tails/tails#1223..._Originally created by @segfault on [#12237 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12237)_
Currently this takes between 2 and 10 minutes, depending on the Tor
circuit.
Parent Task: tails/tails#12230
### Related issues
- **Related to** tails/tails#11539
- **Related to** tails/tails#12238https://gitlab.tails.boum.org/tails/tails/-/issues/12255Use polkit with Tails Server2021-09-07T11:18:06ZsegfaultUse polkit with Tails Server_Originally created by @segfault on [#12255 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12255)_
Tails Server does a lot of things that require higher privileges.
Currently, the backend is executed as root. We sh..._Originally created by @segfault on [#12255 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12255)_
Tails Server does a lot of things that require higher privileges.
Currently, the backend is executed as root. We should consider running
it as its own user, and write polkit actions and policies to allow
privileged actions.
Actions that require higher privileges:
\- apt update, apt install
\- systemctl start/stop
\- write to service config files (e.g. sshd\_config)
\- rw access to /var/lib/tor and /var/lib/tails
\- copy to persistent volume
\- mount —bind, umount
Parent Task: tails/tails#5688segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12297Make Tails Server compatible with Wayland2021-09-07T11:18:10ZsegfaultMake Tails Server compatible with Wayland_Originally created by @segfault on [#12297 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12297)_
In Wayland, only the local user (amnesia) is able to run UI
applications. It is not planned that this will be chang..._Originally created by @segfault on [#12297 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12297)_
In Wayland, only the local user (amnesia) is able to run UI
applications. It is not planned that this will be changed, for more
information see [this
ticket](https://bugzilla.redhat.com/show_bug.cgi?id=1274451).
So, the previous plan to run tails-server as a dedicated user with
polkit rules to allow priviliged actions is not compatible with Wayland.
There seem to be 4 options:
1\. Run tails-server as a dedicated user with polkit rules, using some
workaround like \`xhost si:amnesia:tails-server-user\` or
\`XDG\_RUNTIME\_DIR=/run/user/$MY\_UID\`. This would make use of
XWayland instead of Wayland. We would have to investigate further
implications of this.
- Pro: Almost no additional coding required
- Contra: Still has to be investigated
2\. Create polkit rules to allow amnesia to execute the required
priviliged actions. This would allow all apps to execute these actions,
so we have to think about security implications. We could adjust the
polkit rules to only allow the exact actions required by Tails Server,
i.e. install/remove those packages required by some service in Tails
Server, start/stop the corresponding systemd units, edit the config
files, etc.
- Contra: This would offer a lot of attack surface to other
applications.
3\. Run the GUI as amnesia and the back-end as root in separate
processes, and expose a reduced **high-level** control interface.
- Contra: This would require additional effort to implement 1. the
Inter-process-communication, and 2. the reduced high-level control
interface.
- Contra: The back-end would accept commands from all apps running as
amnesia user, which might offer attack surface (but certainly less
than option 2, because the interface can be reduced more
fine-grained).
4\. Run the GUI as amnesia and the back-end as root in separate
processes, and expose a **low-level** control interface, that only
accepts commands from the GUI process. This could be done with something
like the Tor control port filter, which handles incoming requests
depending on the AppArmor profile currently applied to the client.
- Contra: This would require additional effort to implement 1. the
Inter-process-communication, and 2. the “control-port-filter”-like
functionality (maybe the Tails control port filter proxy could be
reused for this?).
- Pro: The back-end would accept commands only from the Tails Server
GUI
5\. Run the GUI as amnesia and the back-end as root in separate
processes, and expose a reduced **high-level** control interface, that
only accepts commands from the GUI process.
- Contra: This would require additional effort to implement 1. the
Inter-process-communication, 2. the reduced high-level control
interface, and 3. the “control-port-filter”-like functionality.
- Pro: The back-end would accept commands only from the Tails Server
GUI **and** has a reduced control inteface (providing some fallback
security in case the control filter is circumvented)
Parent Task: tails/tails#5688segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12230Release Tails Server Beta2021-09-07T11:17:34ZsegfaultRelease Tails Server Beta_Originally created by @segfault on [#12230 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12230)_
We want to release a Beta of Tails Server to get some more user test
results.
Feature Branch: feature/5688-tai..._Originally created by @segfault on [#12230 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12230)_
We want to release a Beta of Tails Server to get some more user test
results.
Feature Branch: feature/5688-tails-server
Parent Task: tails/tails#5688
### Subtasks
- [ ] tails/tails#12226
- [x] tails/tails#12232
- [x] tails/tails#12235
- [x] tails/tails#12237
- [x] tails/tails#12478
- [ ] tails/tails#12479
### Related issues
- **Related to** tails/tails#12236
- **Related to** tails/tails#15170
- **Related to** tails/tails#15171https://gitlab.tails.boum.org/tails/tails/-/issues/12236Add more services to Tails Server2021-09-07T11:17:48ZsegfaultAdd more services to Tails Server_Originally created by @segfault on [#12236 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12236)_
We would especially like to have some sort of web service (maybe a
wiki), because the Tor Browser can be used as a ..._Originally created by @segfault on [#12236 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12236)_
We would especially like to have some sort of web service (maybe a
wiki), because the Tor Browser can be used as a client for this (Tor
Browser is available on other systems without configuration effort).
We would also like to have some sort of instant messaging service (irc
or xmpp).
### Subtasks
- [ ] tails/tails#15170
- [ ] tails/tails#15171
### Related issues
- **Related to** tails/tails#12230
- **Related to** tails/tails#5688
- **Related to** tails/tails#12478segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12489Tails Server may get stuck in the "Installing" state2021-09-07T11:19:36ZanonymTails Server may get stuck in the "Installing" state_Originally created by @anonym on [#12489 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12489)_
The following description is copied from the attached file, which also
contains the full Tails Server log:
# 1. ..._Originally created by @anonym on [#12489 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12489)_
The following description is copied from the attached file, which also
contains the full Tails Server log:
# 1. I started the Tails Sesrver GUI and told it to install Prosody
# before Tor had bootstrapped so it showed the expected "Tor has
# not bootstrapped error"
# 2. Tor actually seemed to have got stuck, so I restarted it
# 3. Tails Server immediately picked up when Tor had bootstrapped and
# started to install prosody
# 4. However, it got stuck on the "Installing" status, but I did check
# and prosody *had* been installed
# 5. At some point I tried to remove the stalled Prosody service from
# Tails Server, and I think that's why the exceptions where thrown
# below. I believe I clicked the remove button twice, which would
# explain the *two* identical exceptions.
#
# So here the real issue is 4 -- Tails Server shouldn't ever get stuck
# here. But I also find 5 ugly, that I cannot remove a service that's
# in a broken half-installed state and must solve it by restarting
# Tails Server.
### Attachments
* [tails-server-stalling.txt](https://redmine.tails.boum.org/code/attachments/download/1603/tails-server-stalling.txt)segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12479Write Tails Server beta release announcement2020-08-04T21:23:37ZsegfaultWrite Tails Server beta release announcement_Originally created by @segfault on [#12479 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12479)_
Parent Task: tails/tails#12230_Originally created by @segfault on [#12479 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12479)_
Parent Task: tails/tails#12230segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12226Initial review of Tails Server implementation2021-09-07T11:17:40ZanonymInitial review of Tails Server implementation_Originally created by @anonym on [#12226 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12226)_
Parent Task: tails/tails#12230_Originally created by @anonym on [#12226 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12226)_
Parent Task: tails/tails#12230https://gitlab.tails.boum.org/tails/tails/-/issues/12232Base feature/5688-tails-server on feature/stretch2020-05-15T15:51:53ZsegfaultBase feature/5688-tails-server on feature/stretch_Originally created by @segfault on [#12232 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12232)_
Parent Task: tails/tails#12230_Originally created by @segfault on [#12232 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12232)_
Parent Task: tails/tails#12230segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12253Use persistence.conf in Tails Server2021-09-07T11:18:00ZsegfaultUse persistence.conf in Tails Server_Originally created by @segfault on [#12253 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12253)_
Currently Tails Server does not use the persistence.conf. Instead, it
bind-mounts the files/directories directly, b..._Originally created by @segfault on [#12253 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12253)_
Currently Tails Server does not use the persistence.conf. Instead, it
bind-mounts the files/directories directly, both when the persistence
option is enabled and when `tails-service --restore` is executed. The
systemd unit
`chroot_local-includes/lib/systemd/system/tails-server-persistence.service`
executes `tails-service --restore` after boot, to mount the persistent
files.
It would be nice if instead we would use the same persistence framework
everywhere.
Parent Task: tails/tails#5688
### Related issues
- **Related to** tails/tails#11533segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/12478Add a chat service (XMPP or IRC) to Tails Server2020-05-19T19:31:33ZsegfaultAdd a chat service (XMPP or IRC) to Tails Server_Originally created by @segfault on [#12478 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12478)_
Feature Branch: wip/feature/12478-tails-server-xmpp
Parent Task: tails/tails#12230
### Related issu..._Originally created by @segfault on [#12478 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/12478)_
Feature Branch: wip/feature/12478-tails-server-xmpp
Parent Task: tails/tails#12230
### Related issues
- **Related to** tails/tails#12236https://gitlab.tails.boum.org/tails/tails/-/issues/14456Finish documenting Tails Server2020-12-22T20:06:12ZBitingBirdFinish documenting Tails Server_Originally created by @BitingBird on [#14456 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/14456)_
team: spriver, segfault, sajolida
The current documentation is found in the `feature/5688-tails-server`
branch i..._Originally created by @BitingBird on [#14456 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/14456)_
team: spriver, segfault, sajolida
The current documentation is found in the `feature/5688-tails-server`
branch in `wiki/src/doc/tails_server/`. There is currently a short
documentation of the usage of Tails Server in general, how to connect to
Tails Server, and how to use the Mumble service. Those should be
proofread and improved. Additionally, we (probably?) should also write
documentation for the usage of the other available services (Gobby,
XMPP, SFTP, lighttpd).
Feature Branch: feature/5688-tails-server
Parent Task: tails/tails#5688
### Related issues
- **Related to** tails/tails#12231spriverspriverhttps://gitlab.tails.boum.org/tails/tails/-/issues/15035Use systemd security features for Tails Server services2021-09-07T11:19:37ZsegfaultUse systemd security features for Tails Server services_Originally created by @segfault on [#15035 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15035)_
### Related issues
- **Related to** tails/tails#5688_Originally created by @segfault on [#15035 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15035)_
### Related issues
- **Related to** tails/tails#5688segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/15171Add a webserver + website framework to Tails Server2021-09-07T11:17:59ZAnonymousAdd a webserver + website framework to Tails Server_Originally created by @Anonymous on [#15171 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15171)_
.. possibly a wiki.
On tails/tails#12236 segfault says he has already implemented lighthttpd.
So it should be ..._Originally created by @Anonymous on [#15171 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15171)_
.. possibly a wiki.
On tails/tails#12236 segfault says he has already implemented lighthttpd.
So it should be decided if we want to do that at all, and if yes, which
website framework or wiki shall be used.
Parent Task: tails/tails#12236
### Related issues
- **Related to** tails/tails#12230segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/15170Add Icecast to Tails Server2021-09-07T11:17:49ZAnonymousAdd Icecast to Tails Server_Originally created by @Anonymous on [#15170 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15170)_
On tails/tails#12236 it has been proposed to add an audio streaming software to
Tails Server, possibly Icecast whi..._Originally created by @Anonymous on [#15170 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15170)_
On tails/tails#12236 it has been proposed to add an audio streaming software to
Tails Server, possibly Icecast which would be reachable over a .onion
address.
Parent Task: tails/tails#12236
### Related issues
- **Related to** tails/tails#12230segfaultsegfaulthttps://gitlab.tails.boum.org/tails/tails/-/issues/15034Create apparmor rules for Tails Server services2021-09-07T11:18:13ZsegfaultCreate apparmor rules for Tails Server services_Originally created by @segfault on [#15034 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15034)_
Parent Task: tails/tails#5688_Originally created by @segfault on [#15034 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15034)_
Parent Task: tails/tails#5688segfaultsegfault