Default 4.99 KB
Newer Older
1
2
3
4
5
6
7
8
9
#! /bin/bash

# This script is run as root by GDM after user's login.
# It must return exit code 0, otherwise it totally breaks the logon process.

# Input
# =====
#
# * /etc/live/config.d/username.conf : $LIVE_USERNAME
10
11
12
13
# * /var/lib/gdm3/settings/tails.language: $TAILS_LOCALE_NAME
# * /var/lib/gdm3/settings/tails.formats: $TAILS_FORMATS
# * /var/lib/gdm3/settings/tails.keyboard: $TAILS_XKBMODEL,
#   $TAILS_XKBLAYOUT, $TAILS_XKBVARIANT, $TAILS_XKBOPTIONS
14
# * /var/lib/gdm3/settings/tails.password : $TAILS_USER_PASSWORD
15
16
17
18
19
20
21
22
23
24
25
26

# For whatever reason, /usr/sbin (needed by at least chpasswd)
# is not in our PATH
export PATH="/usr/sbin:${PATH}"
LIVE_PASSWORD=live
POLKIT=/etc/polkit-1/localauthority.conf.d/52-tails-greeter.conf
SUDOERS=/etc/sudoers.d/tails-greeter
NO_PASSWORD_LECTURE=/etc/sudoers.d/tails-greeter-no-password-lecture
KBDSET=/etc/default/keyboard
CONSET=/etc/default/console-setup
LOCALE_CFG=/etc/default/locale
CODSET="Uni1" # universal codeset to properly display glyphs in localized console
27
GREETER_EXPORTED_SETTINGS="tails.macspoof tails.network tails.unsafe-browser"
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

log() {
    echo "$1" >&2
}

log_n_exit() {
    log "$1"
    log "Leaving PostLogin"
    exit 0
}

# enforce value $3 for variable $1 in file $2
force_set() {
    sed -i -e "s|^$1=.*$|$1=\"$3\"|" "$2"
}

# check if variable $1 is in file $2, if not - add with value $3 to file $2
# $4 enforce adding $3 only (without $1= prefix)
grep_n_set() {
    FCHK=yes
    grep -qs "$1" "$2" || FCHK=no
    if [ -n "$4" ] ; then
        if [ "$FCHK" = "no" ] ; then
	    echo "$3" >> "$2"
	fi
    else
	if [ "$FCHK" = "no" ] ; then
	    echo "$1=$3" >> "$2"
	else
	    force_set "$1" "$2" "$3"
	fi
    fi
}

### Let's go

log "Entering PostLogin"

66
67
68
69
70
### Export the Greeter settings
# It's important we export the settings from tails.macspoof before
# unblocking the network below; doing so will make the user-set MAC
# spoofing option apply (via the custom udev rule) when loading the
# modules for the previously blocked network devices.
71
for setting in ${GREETER_EXPORTED_SETTINGS}; do
72
73
    /usr/bin/install -m 0640 -o root -g root \
        "/var/lib/gdm3/settings/$setting" \
74
        "/var/lib/live/config/$setting"
75
76
done

77
78
79
80
81
82
83
84
85
86
### Gather general configuration

# Import the name of the live user
. /etc/live/config.d/username.conf || log_n_exit "Username file not found."
if [ -z "${LIVE_USERNAME}" ] ; then
    log_n_exit "Username variable not found."
fi

### Localization

87
88
89
90
# Import locale settings
. /var/lib/gdm3/settings/tails.language || log_n_exit "Language settings file not found."
. /var/lib/gdm3/settings/tails.formats || log_n_exit "Formats settings file not found."
. /var/lib/gdm3/settings/tails.keyboard || log_n_exit "Keyboard settings file not found."
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
if [ -z "${TAILS_LOCALE_NAME}" ] ; then
    log_n_exit "Locale variable not found."
fi

# Set the keyboard mapping for X11 and the console
localectl set-x11-keymap "$TAILS_XKBLAYOUT" "$TAILS_XKBMODEL" "$TAILS_XKBVARIANT" "$TAILS_XKBOPTIONS"

# Set the system locale and formats
localectl set-locale \
    "LANG=${TAILS_LOCALE_NAME}.UTF-8" \
    "LC_TIME=${TAILS_FORMATS}.UTF-8" \
    "LC_NUMERIC=${TAILS_FORMATS}.UTF-8" \
    "LC_MONETARY=${TAILS_FORMATS}.UTF-8" \
    "LC_MEASUREMENT=${TAILS_FORMATS}.UTF-8" \
    "LC_PAPER=${TAILS_FORMATS}.UTF-8" \

107
108
109
110
111
112
113
# Set the system locale GSetting (#16806)
cat > /etc/dconf/db/local.d/01_Tails_settings << EOF
[system/locale]
region = '${TAILS_FORMATS}.UTF-8'
EOF
dconf update

114
115
116
117
118
119
120
121
122
# Save keyboard settings so that tails-configure-keyboard can set it
# in the GNOME session.
cat > /var/lib/tails-user-session/keyboard <<EOF
XKBMODEL="$TAILS_XKBMODEL"
XKBLAYOUT="$TAILS_XKBLAYOUT"
XKBVARIANT="$TAILS_XKBVARIANT"
XKBOPTIONS="$TAILS_XKBOPTIONS"
EOF

123
124
125
126
127
### Physical security
log "Running /usr/local/lib/tails-unblock-network..."
/usr/local/lib/tails-unblock-network
log "tails-unblock-network has exited (status=$?)."

128
129
130
### Password

# Import password for superuser access
131
132
if [ -e /var/lib/gdm3/settings/tails.password ] ; then
    . /var/lib/gdm3/settings/tails.password
133
134
135
136
137
138
139
140
141
fi

# Check if password is actually set
if [ -z "${TAILS_USER_PASSWORD}" ] ; then
    rm -f "${POLKIT}" "${SUDOERS}"
    deluser "${LIVE_USERNAME}" sudo
    passwd -d "${LIVE_USERNAME}"
    install -o root -g root -m 0440 /dev/null "${NO_PASSWORD_LECTURE}"
    echo "Defaults:amnesia lecture=always" > "${NO_PASSWORD_LECTURE}"
142
    echo "Defaults:amnesia lecture_file=/usr/share/tails/greeter/no-password-lecture.txt" >> "${NO_PASSWORD_LECTURE}"
143
144
145
146
147
    echo "Defaults:amnesia badpass_message=\"The administration password is disabled.\"" >> "${NO_PASSWORD_LECTURE}"
    log_n_exit "Password variable not found."
fi

# Sets the password
148
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd -e
149
150
151
152
153
154
155
156
157
158
159
160
161

# Add sudoers entry
echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}"
chmod 0440 "${SUDOERS}"

# Add PolKit config
echo "[Configuration]" > "${POLKIT}"
echo "AdminIdentities=unix-user:${LIVE_USERNAME}" >> "${POLKIT}"

# Configure su-to-root to use sudo
sudo -u "${LIVE_USERNAME}" sh -c "echo 'SU_TO_ROOT_SU=sudo' >> /home/${LIVE_USERNAME}/.su-to-rootrc"

log "Leaving PostLogin"