From 0e53e2954f4bd1c31654ce30ac30a4a477f5390b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:14:36 -0500 Subject: [PATCH] Whonix setup GUI now run on first start to allow configuration Added alternate for dialag (gdialog) so some of Whonix programs run Changed sudo permissions to fix umask and not use QT shared memory Changed whonix to use basic hosts file Added detection if template is active for updating Added startup code for tinyproxy Added code to disable uwt so apt-get can be used as proxy Created a python GUI Message Alert using yaml for messages (internationalization) --- .../wheezy+whonix-gateway/files/.facl | 92 ++++----- .../wheezy+whonix-gateway/files/etc/hosts | 9 - .../files/etc/uwt.d/50_uwt_default | 6 + .../files/home/user/.whonix_build.sh.swp | Bin 12288 -> 0 bytes .../user/build-steps.d/1000_qubes-patches.sh | 92 --------- .../2900_qubes-post-installation.sh | 60 ------ .../files/home/user/whonix_build.sh | 41 ---- .../files/home/user/whonix_fix.sh | 3 - .../files/usr/lib/whonix/alert | 90 ++++++++ .../usr/lib/whonix/enable-iptables-logging.sh | 8 + .../files/usr/lib/whonix/messages.yaml | 12 ++ .../files/usr/lib/whonix/qubes-whonixsetup | 65 ++++-- .../files/usr/lib/whonix/replace-ips | 48 ++++- .../files/usr/lib/whonix/setup-ip | 195 ++++++------------ .../files/usr/lib/whonix/tests.sh | 95 +++++++++ .../files/usr/lib/whonix/utility_functions | 94 +++++++++ .../wheezy+whonix-workstation/files/.facl | 53 ++++- .../wheezy+whonix-workstation/files/etc/hosts | 9 - .../files/etc/uwt.d/50_uwt_default | 6 + .../files/home/user/whonix_build.sh | 41 ---- .../files/usr/lib/whonix/alert | 90 ++++++++ .../usr/lib/whonix/enable-iptables-logging.sh | 8 + .../files/usr/lib/whonix/messages.yaml | 12 ++ .../files/usr/lib/whonix/qubes-whonixsetup | 46 +++++ .../files/usr/lib/whonix/replace-ips | 57 +++-- .../files/usr/lib/whonix/setup-ip | 116 ++++++----- .../files/usr/lib/whonix/tests.sh | 95 +++++++++ .../files/usr/lib/whonix/utility_functions | 94 +++++++++ .../02_install_groups_packages_installed.sh | 45 ++-- .../wheezy+whonix/04_install_qubes_post.sh | 2 +- 30 files changed, 1028 insertions(+), 556 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default delete mode 100755 scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert create mode 100644 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index e81b167..ece4cc6 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -19,6 +19,20 @@ user::rw- group::r-- other::r-- +# file: etc/uwt.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/uwt.d/50_uwt_default +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/xdg # owner: root # group: root @@ -94,7 +108,7 @@ other::r-- # group: root user::rwx group::r-x -other::r-x +other::--- # file: etc/sudoers.d/qubes # owner: root @@ -103,98 +117,70 @@ user::r-- group::r-- other::--- -# file: home -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: home/user -# owner: user -# group: user -user::rwx -group::r-x -other::r-x - -# file: home/user/whonix_fix.sh +# file: .facl # owner: user # group: user -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- -# file: home/user/build-steps.d -# owner: user -# group: user +# file: usr +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/build-steps.d/1000_qubes-patches.sh -# owner: user -# group: user +# file: usr/lib +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/build-steps.d/2900_qubes-post-installation.sh -# owner: user -# group: user +# file: usr/lib/whonix +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/whonix_build.sh -# owner: user -# group: user +# file: usr/lib/whonix/utility_functions +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/.whonix_build.sh.swp -# owner: user -# group: user -user::rw- -group::r-- -other::r-- - -# file: .facl -# owner: user -# group: user -user::rw- -group::r-- -other::r-- - -# file: usr +# file: usr/lib/whonix/setup-ip # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib +# file: usr/lib/whonix/tests.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix +# file: usr/lib/whonix/messages.yaml # owner: root # group: root -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/replace-ips # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/alert # owner: root # group: root user::rwx diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/hosts b/scripts_debian/wheezy+whonix-gateway/files/etc/hosts index 87b1540..cc0e30d 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/hosts +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/hosts @@ -1,14 +1,5 @@ ## Anonymity Distribution /etc/hosts -## Defaults -127.0.0.1 host -::1 host ip6-host ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -## End of defaults - ## Anonymity Distribution specific 127.0.0.1 host.localdomain host ## End of Anonymity Distribution specific diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default b/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default new file mode 100644 index 0000000..bac9ef3 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default @@ -0,0 +1,6 @@ + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then + uwtwrapper["/usr/bin/apt-get"]="0" +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp b/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp deleted file mode 100644 index e88a6478eef4588aedea9c84d9e00d26bc6d0228..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2&5j&35XYT_3kiW09Jm%Uk&rg>^zIOmL?{vo8(?ABti&uq2sG*sPq&%wwqv{J zBZMF>2zUT4z=ap!!~wwp9)Ks{&P#Bi+}$&~iB?(;bIGbK{imm0<#PGg_DHR%XzPRB z_uy*p3d6R+*!3Uwhp)f5!8YDutg^!R?vq-ktUJla+aLOX!M!RHmPeJ$lhvIyagfWh znsX-#org}W9Bgc)c6OAANQPxF%Y?YUxID{LDd#*z&sn$##xfT+$W$SMdXC0Cswe5$ z?EfT3K1AR&6R6ynU%SX&>2GiOWp+C+!3)nHoaPnN+K2!VAOb{y2oM1xKm>>Y5qOM% z(`VQh*mt(=-)ygE9=o=;bRhynfCvx)B0vO)01+SpM1Tko0U|&Io`T-L^#MZK-i;Vq_`VI9d>MH7= zXBhhf^*w5aGN^kfK%GbZdV#TTQQx5Mqdq|mP}fj^`WJKi3-t@?N7PrS5vtDl31m(w z69FPX1c(3;AOb|-bP~`?Ck(K0ZYNT68J5Y+uG1jyE>AUPMHNyq;*C{m6NK3OZ`<8 zQTm|#*g-3&xH3kRj$2ikSlCtnt5+iFcwM==>Z^-R;nFsC*eX%*Ft}S6t77S@uUT!1 zQqia@n(8OtUV(6NfCtARwJe;9R3w1s!nnf+ ziaQH)u&^{^j*)1b1it>&yVReSA~X}oRGvU;s)*}&dF7EToA0qI3OqmF-sjEDapUd6 zPJK?8LmjUjvI&VQUv`iR2SyZXiqm%ijV=?Q!*~*=q6aX{WSLs9LKJ|x&J?BD?@OBHsG7k__;b&1*n)y*ifV2?S$+ZBA2|g-3Q#$k~ z-Qu@GCE`YU+0395xIzcj%ypW@I#tCP1QGt~1Rh2G(Tm4vV{Sv~BOb?(>z_QZj|<$# Pbl;ToN?X=lb7TJj93u3Z diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh deleted file mode 100755 index 30c5f71..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -set -x - -WHONIX_DIR="$(readlink -m .)" - -# -------------------------------------------------------------------------- -# Initialize Whonix submodules -# -------------------------------------------------------------------------- -pushd "${WHONIX_DIR}" -{ - sudo git submodule update --init --recursive; -} -popd - -# -------------------------------------------------------------------------- -# Patch Whonix submodules -# -------------------------------------------------------------------------- - -# Chekout a branch; create a branch first if it does not exist -checkout_branch() { - branch=$(git symbolic-ref --short -q HEAD) - if ! [ "${branch}" == "${1}" ]; then - sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \ - { - sudo -u "${user_name}" git branch "${1}" - sudo -u "${user_name}" git checkout "${1}" - } - fi -} - -# sed search and replace. return 0 if replace happened, otherwise 1 -search_replace() { - local search="${1}" - local replace="${2}" - local file="${3}" - - sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" -} - -# Patch anon-meta-packages to not depend on grub-pc -pushd "${WHONIX_DIR}" -{ - search_replace "grub-pc" "" "grml_packages" || : -} -popd - -pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" -{ - search1=" grub-pc,"; - replace=""; - - #checkout_branch qubes - search_replace "${search1}" "${replace}" control && \ - { - cd "${WHONIX_DIR}/packages/anon-meta-packages"; - : - #sudo -E -u "${user_name}" make deb-pkg || : - #su "${user_name}" -c "dpkg-source --commit" || : - #git add . - #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" - } || : -} -popd - -pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" -{ - search1="update-grub"; - replace=":"; - - #checkout_branch qubes - search_replace "${search1}" "${replace}" 85_update_grub && \ - { - cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; - sudo -E -u "${user_name}" make deb-pkg || : - su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; - #git add . ; - #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" - } || : -} -popd - -pushd "${WHONIX_DIR}/build-steps.d" -{ - search1=" check_for_uncommited_changes"; - replace=" #check_for_uncommited_changes"; - - search_replace "${search1}" "${replace}" 1200_create-debian-packages || : - } -popd - diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh deleted file mode 100755 index 654b9a5..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# ------------------------------------------------------------------------------ -# Whonix Post Installation Configurations -# ------------------------------------------------------------------------------ -echo "Post Configuring Whonix System" - -pushd "/etc/network" -{ - rm -f interfaces; - ln -s interfaces.backup interfaces; -} -popd - -pushd "/etc" -{ - rm -f resolv.conf; - cp -p resolv.conf.backup resolv.conf; -} -popd - -# Enable Tor -#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then -# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc" -#fi - -# Fake that whonixsetup was already run -#mkdir -p "/var/lib/whonix/do_once" -#touch "/var/lib/whonix/do_once/whonixsetup.done" - -# Fake that initializer was already run -mkdir -p "/root/.whonix" -touch "/root/.whonix/first_run_initializer.done" - -# Prevent whonixcheck error -echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default" - -# Use gdialog as an alternative for dialog -update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999 - -# Disable unwanted applications -update-rc.d network-manager disable || : -update-rc.d spice-vdagent disable || : -update-rc.d swap-file-creator disable || : -update-rc.d whonix-initializer disable || : - -service apt-cacher-ng stop || : -update-rc.d apt-cacher-ng disable || : - -# Remove apt-cacher-ng -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng - -# Remove original sources.list -rm -f "/etc/apt/sources.list" - -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - apt-get.anondist-orig update - diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh deleted file mode 100755 index 0fdf086..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh +++ /dev/null @@ -1,41 +0,0 @@ -################################################################################ -# Pre Fixups -sudo mkdir -p /boot/grub2 -sudo touch /boot/grub2/grub.cfg -sudo mkdir -p /boot/grub -sudo touch /boot/grub/grub.cfg -sudo mkdir --parents --mode=g+rw "/tmp/uwt" - -# Whonix seems to re-install sysvinit even though there is a hold -# on the package. Things seem to work anyway. BUT hopfully the -# hold on grub* don't get removed -sudo apt-mark hold sysvinit -sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common - -# Whonix expects haveged to be started -sudo /etc/init.d/haveged start - -# ------------------------------------------------------------------------------ -# Link our build steps into Whonix build directory -# ------------------------------------------------------------------------------ -#pushd /home/user/Whonix/build-steps.d -#cp -pf /home/user/build-steps.d/* . -#popd - -# ------------------------------------------------------------------------------ -# Whonix installation -# ------------------------------------------------------------------------------ -export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" - -pushd ~/Whonix -sudo ~/Whonix/whonix_build \ - --build $1 \ - --64bit-linux \ - --current-sources \ - --enable-whonix-apt-repository \ - --whonix-apt-repository-distribution $2 \ - --install-to-root \ - --skip-verifiable \ - --minimal-report \ - --skip-sanity-tests || { exit 1; } -popd diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh deleted file mode 100755 index 508180a..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh +++ /dev/null @@ -1,3 +0,0 @@ -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common - sudo apt-mark hold grub-common grub-pc-bin grub2-common diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert new file mode 100755 index 0000000..e585475 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# +# Copyright 2014 Jason Mehring (nrgaway@gmail.com) +# + +from PyQt4 import QtGui +import locale +import yaml + +DEFAULT_LANG = 'en' + +class Messages(): + filename = None + data = None + language = DEFAULT_LANG + title = None + icon = None + message = None + + def __init__(self, section, filename): + self.filename = filename + + language = locale.getdefaultlocale()[0].split('_')[0] + if language: + self.language = language + + try: + stream = file(filename, 'r') + data = yaml.load(stream) + + if section in data.keys(): + section = data[section] + + self.icon = section.get('icon', None) + + language = section.get(self.language, DEFAULT_LANG) + + self.title = language.get('title', None) + self.message = language.get('message', None) + + except (IOError): + pass + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + pass + +class WhonixMessageBox(QtGui.QMessageBox): + def __init__(self, message): + super(WhonixMessageBox, self).__init__() + self.message = message + self.initUI() + + def initUI(self): + message = self.message + + if message.title: + self.setWindowTitle(message.title) + + if message.icon: + self.setIcon(getattr(QtGui.QMessageBox, message.icon)) + + if message.message: + self.setText(message.message) + self.exec_() + +import argparse +import sys + + + +def main(): + parser = argparse.ArgumentParser(description='Display a QT Message Box') + + parser.add_argument('section', help="Message section") + parser.add_argument('filename', help="File including full path") + + args = parser.parse_args() + + if not args.filename and args.section: + print parser.usage() + sys.exit(1) + + app = QtGui.QApplication(sys.argv) + + message = Messages(args.section, args.filename) + dialog = WhonixMessageBox(message) + sys.exit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh index d3a2b95..a8e1653 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh @@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE modprobe ip6t_LOG fi + +# Redirect local port to remote via socat +#apt-get install socat +#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082 +# +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml new file mode 100644 index 0000000..d3be464 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml @@ -0,0 +1,12 @@ + +update: + icon: Critical + en: + title: Tor netvm required for updates + message: | +

Tor netvm required for updates!

+

Please ensure your template vm has a Whonix gateway as it's VM.

+

No updates are possible without an active (running) Whonix gateway VM.

+

+

Template will now power off

+ diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 681c889..49dff91 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -1,23 +1,46 @@ -#/bin/bash +#!/bin/bash -# XXX: TODO: -# - Make sure we can't just run this from setup-ip -# - Alternatives? instead of deleting dialog? -# -# INSTALLATION NOTES: -# - Make sure /etc/tor/torrc is disabled initially -# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist -# so repo questions will be asked -# - /etc/xdg/autostart/qubes-whonixsetup must be in place -# - this file must be in place -# - gdialog must have over-written dialog -# - patches to setup-ip: -# - bring eth1 up -# - remove old code that was trying to get setup working +. /usr/lib/whonix/utility_functions -grep "^DisableNetwork 0$" /etc/tor/torrc || { - sudo systemctl stop whonixcheck - sudo systemctl stop tor - sudo /usr/lib/whonix/setup-ip - sudo /usr/bin/whonixsetup -} +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index f2e4076..900a584 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -75,18 +77,42 @@ update_ip() { echo "${ip}" > /etc/whonix-netvm-gateway grep '^DisableNetwork 0$' /etc/tor/torrc && { - service tor reload || true; + service tor status && { + service tor reload || true; + } } } -ip="$(xenstore-read qubes-netvm-gateway)" +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 9a098f7..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -1,141 +1,78 @@ #!/bin/bash -if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" -else - XENSTORE_READ="/usr/bin/xenstore-read" -fi - -INTERFACE="eth1" -ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - -# Create a dummy eth1 interface so tor can bind to it if there -# are no DOMU virtual machines connected at the moment -ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy +. /usr/lib/whonix/utility_functions - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off - /sbin/ethtool -K ${INTERFACE} tx off +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" fi - ip link set ${INTERFACE} up -} - -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' -) - -immutableFilesEnable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy + + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true fi - done -} -immutableFilesDisable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" - fi - done -} - -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" - - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" - fi + ip link set ${INTERFACE} up + } +fi - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" fi -} - -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/resolv.conf" -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" - -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips - -# Make sure hostname is correct -/bin/hostname host - -# Start Whonix Firewall -export INT_IF="vif+" -export INT_TIF="vif+" -/usr/bin/whonix_firewall + /usr/bin/whonix_firewall -# Route any traffic FROM netvm TO netvm BACK-TO localhost -# Allows localhost access to tor network -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - -# Will only enable / disable if service is not already in that state -enable_sysv() { - servicename=${1} - disable=${2-0} - - # Check to see if the service is already enabled and if not, enable it - string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" - - if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then - case ${disable} in - 0) - echo "${1} is currently disabled; enabling it" - systemctl --quiet enable ${servicename} - ;; - 1) - echo "${1} is currently enabled; disabling it" - systemctl --quiet disable ${servicename} - ;; - esac + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 fi -} -disable_sysv() { - enable_sysv ${1} 1 -} - -# This would be a really good place to apply any hacks required and remove them -# from template build script -grep "^DisableNetwork 0$" /etc/tor/torrc && { - #enable_sysv tor - #enable_sysv whonixcheck - #enable_sysv sdwdate - : -} || { - : -} + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 9e5e47b..bfdec11 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -19,6 +19,20 @@ user::rw- group::r-- other::r-- +# file: etc/uwt.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/uwt.d/50_uwt_default +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -49,10 +63,10 @@ other::r-- # file: etc/sudoers.d # owner: root -# group: user +# group: root user::rwx group::r-x -other::r-x +other::--- # file: etc/sudoers.d/qubes # owner: root @@ -89,6 +103,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/utility_functions +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/setup-ip # owner: root # group: root @@ -96,6 +117,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/tests.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/replace-ips # owner: root # group: root @@ -103,6 +138,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/alert +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/qubes-whonixsetup +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/enable-iptables-logging.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts index 87b1540..cc0e30d 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts @@ -1,14 +1,5 @@ ## Anonymity Distribution /etc/hosts -## Defaults -127.0.0.1 host -::1 host ip6-host ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -## End of defaults - ## Anonymity Distribution specific 127.0.0.1 host.localdomain host ## End of Anonymity Distribution specific diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default new file mode 100644 index 0000000..bac9ef3 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default @@ -0,0 +1,6 @@ + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then + uwtwrapper["/usr/bin/apt-get"]="0" +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh deleted file mode 100755 index 0fdf086..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh +++ /dev/null @@ -1,41 +0,0 @@ -################################################################################ -# Pre Fixups -sudo mkdir -p /boot/grub2 -sudo touch /boot/grub2/grub.cfg -sudo mkdir -p /boot/grub -sudo touch /boot/grub/grub.cfg -sudo mkdir --parents --mode=g+rw "/tmp/uwt" - -# Whonix seems to re-install sysvinit even though there is a hold -# on the package. Things seem to work anyway. BUT hopfully the -# hold on grub* don't get removed -sudo apt-mark hold sysvinit -sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common - -# Whonix expects haveged to be started -sudo /etc/init.d/haveged start - -# ------------------------------------------------------------------------------ -# Link our build steps into Whonix build directory -# ------------------------------------------------------------------------------ -#pushd /home/user/Whonix/build-steps.d -#cp -pf /home/user/build-steps.d/* . -#popd - -# ------------------------------------------------------------------------------ -# Whonix installation -# ------------------------------------------------------------------------------ -export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" - -pushd ~/Whonix -sudo ~/Whonix/whonix_build \ - --build $1 \ - --64bit-linux \ - --current-sources \ - --enable-whonix-apt-repository \ - --whonix-apt-repository-distribution $2 \ - --install-to-root \ - --skip-verifiable \ - --minimal-report \ - --skip-sanity-tests || { exit 1; } -popd diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert new file mode 100755 index 0000000..e585475 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# +# Copyright 2014 Jason Mehring (nrgaway@gmail.com) +# + +from PyQt4 import QtGui +import locale +import yaml + +DEFAULT_LANG = 'en' + +class Messages(): + filename = None + data = None + language = DEFAULT_LANG + title = None + icon = None + message = None + + def __init__(self, section, filename): + self.filename = filename + + language = locale.getdefaultlocale()[0].split('_')[0] + if language: + self.language = language + + try: + stream = file(filename, 'r') + data = yaml.load(stream) + + if section in data.keys(): + section = data[section] + + self.icon = section.get('icon', None) + + language = section.get(self.language, DEFAULT_LANG) + + self.title = language.get('title', None) + self.message = language.get('message', None) + + except (IOError): + pass + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + pass + +class WhonixMessageBox(QtGui.QMessageBox): + def __init__(self, message): + super(WhonixMessageBox, self).__init__() + self.message = message + self.initUI() + + def initUI(self): + message = self.message + + if message.title: + self.setWindowTitle(message.title) + + if message.icon: + self.setIcon(getattr(QtGui.QMessageBox, message.icon)) + + if message.message: + self.setText(message.message) + self.exec_() + +import argparse +import sys + + + +def main(): + parser = argparse.ArgumentParser(description='Display a QT Message Box') + + parser.add_argument('section', help="Message section") + parser.add_argument('filename', help="File including full path") + + args = parser.parse_args() + + if not args.filename and args.section: + print parser.usage() + sys.exit(1) + + app = QtGui.QApplication(sys.argv) + + message = Messages(args.section, args.filename) + dialog = WhonixMessageBox(message) + sys.exit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh index d3a2b95..a8e1653 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh @@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE modprobe ip6t_LOG fi + +# Redirect local port to remote via socat +#apt-get install socat +#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082 +# +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml new file mode 100644 index 0000000..d3be464 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml @@ -0,0 +1,12 @@ + +update: + icon: Critical + en: + title: Tor netvm required for updates + message: | +

Tor netvm required for updates!

+

Please ensure your template vm has a Whonix gateway as it's VM.

+

No updates are possible without an active (running) Whonix gateway VM.

+

+

Template will now power off

+ diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup new file mode 100755 index 0000000..49dff91 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -0,0 +1,46 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips index bc44984..900a584 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -70,18 +72,47 @@ function replace_ips() return $retval } -ip="$(xenstore-read qubes-ip)" -gateway="$(xenstore-read qubes-gateway)" +update_ip() { + ip=${1} + + echo "${ip}" > /etc/whonix-netvm-gateway + grep '^DisableNetwork 0$' /etc/tor/torrc && { + service tor status && { + service tor reload || true; + } + } +} -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" + + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi -# Compare to current gateway IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip index 2dca037..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -1,70 +1,78 @@ #!/bin/bash -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/hostname' - '/etc/hosts' -) +. /usr/lib/whonix/utility_functions -immutableFilesEnable() { - files="${1}" - suffix="${2}" +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" - fi - done -} + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) -immutableFilesDisable() { - files="${1}" - suffix="${2}" + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true fi - done -} -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" + ip link set ${INTERFACE} up + } +fi - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" - fi +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - fi -} + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips + # Make sure hostname is correct + /bin/hostname host -# Make sure hostname is correct -/bin/hostname host + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + fi + /usr/bin/whonix_firewall -# Start Whonix Firewall -/usr/bin/whonix_firewall + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 + fi + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 7cda7ca..2416fb6 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -55,6 +55,12 @@ sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common # Whonix expects haveged to be started sudo /etc/init.d/haveged start +# Whonix does not always fix permissions after writing as sudo, especially +# when running whonixsetup so /var/lib/whonix/done_once is not readable by +# user, so set defualt umask for sudo +#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers' +#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers' + ################################################################################ # Whonix installation export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" @@ -74,17 +80,8 @@ popd EOF # ------------------------------------------------------------------------------ -# chroot Whonix fix script (Make sure set -e is not set) -# Run ../whonix_fix when whonix gives grub-pc error +# Pin grub so it won't install # ------------------------------------------------------------------------------ -# TODO: Do something in whonix build to automatically run fixups and -# ignore certain errors -read -r -d '' WHONIX_FIX_SCRIPT <<'EOF' -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common -sudo apt-mark hold grub-common grub-pc-bin grub2-common -EOF - read -r -d '' WHONIX_APT_PIN <<'EOF' Package: grub-pc Pin: version * @@ -230,13 +227,9 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - # Install Whonix fix script - echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix" - chmod 0755 "${INSTALLDIR}/home/user/whonix_fix" - # Install Whonix build scripts - echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build" - chmod 0755 "${INSTALLDIR}/home/user/whonix_build" + echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh" + chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh" # ------------------------------------------------------------------------------ # Copy over any extra files @@ -287,6 +280,7 @@ fi if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then info "Post Configuring Whonix System" + # Don't need Whonix interfaces; restore original pushd "${INSTALLDIR}/etc/network" { rm -f interfaces; @@ -294,6 +288,8 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Qubes installation will need a normal resolv.conf; will be restored back + # in 04_qubes_install_post.sh within the wheezy+whonix-* directories pushd "${INSTALLDIR}/etc" { rm -f resolv.conf; @@ -301,6 +297,17 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Remove link to hosts file and copy original back + # Will get set back to Whonix hosts file when the + # /usr/lib/whonix/setup-ip is run on startup + pushd "${INSTALLDIR}/etc" + { + rm -f hosts; + cp -p hosts.anondist-orig hosts; + } + popd + + # Enable Tor #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" @@ -315,7 +322,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" # Fake that whonixsetup was already run - mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" + #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" # Fake that initializer was already run @@ -338,6 +345,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh chroot "${INSTALLDIR}" service apt-cacher-ng stop || : chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || : + # Tor will be re-enabled upon initial configuration + chroot "${INSTALLDIR}" update-rc.d tor disable || : + chroot "${INSTALLDIR}" update-rc.d sdwdate disable || : + # Remove apt-cacher-ng DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 73aa49a..f394ff8 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -45,4 +45,4 @@ popd rm -rf "${INSTALLDIR}"/home/user/Whonix rm -rf "${INSTALLDIR}"/home/user/whonix_binary rm -f "${INSTALLDIR}"/home/user/whonix_fix -rm -f "${INSTALLDIR}"/home/user/whonix_build +rm -f "${INSTALLDIR}"/home/user/whonix_build.sh