From c26d0eac1a3bc47308ccef4afa75e8ade8db734f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 22 Oct 2014 22:38:07 -0400 Subject: [PATCH] added static host related files for whonix copy and moved copy to pre whonix install --- functions.sh | 5 +- .../extra-whonix-files/.facl | 28 +++++++++++ .../extra-whonix-files/etc/hostname | 1 + .../extra-whonix-files/etc/hosts | 16 +++++++ .../extra-whonix-files/etc/sudoers.d/qubes | 46 +++++++++++++++++++ .../02_install_groups_packages_installed.sh | 23 +++++++--- .../wheezy+whonix/04_install_qubes_post.sh | 3 +- .../wheezy+whonix/packages_wheezy.list | 10 ++++ 8 files changed, 122 insertions(+), 10 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes diff --git a/functions.sh b/functions.sh index a3437cc..c3ce484 100755 --- a/functions.sh +++ b/functions.sh @@ -294,8 +294,9 @@ buildStep() { # 1. Change to the directory that you want to have file permissions retained # 2. Change all the file permissions / ownership as you want # 3. Change back to the root of the exta directory (IE: extra-qubes-files) -# 4. getfacl -R . > ".facl" -# 5. If git complains; reset file ownership back to user. The .facl file stored +# 4. Manually restore facl's: setfacl --restore=.facl +# 5. Manually create facl backup used after copying: getfacl -R . > .facl +# 6. If git complains; reset file ownership back to user. The .facl file stored # the file permissions and will be used to reset the file permissions after # they get copied over to $INSTALLDIR # NOTE: Don't forget to redo this process if you add -OR- remove files diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl index d047a8c..4e00c79 100644 --- a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl @@ -12,6 +12,13 @@ user::rwx group::r-x other::r-x +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -33,6 +40,27 @@ user::rw- group::r-- other::r-- +# file: etc/hostname +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/sudoers.d +# owner: root +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc/sudoers.d/qubes +# owner: root +# group: root +user::r-- +group::r-- +other::--- + # file: .facl # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname new file mode 100644 index 0000000..c70dc2d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname @@ -0,0 +1 @@ +host diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts new file mode 100644 index 0000000..87b1540 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts @@ -0,0 +1,16 @@ +## Anonymity Distribution /etc/hosts + +## Defaults +127.0.0.1 host +::1 host ip6-host ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +## End of defaults + +## Anonymity Distribution specific +127.0.0.1 host.localdomain host +## End of Anonymity Distribution specific + +## End of Anonymity Distribution /etc/hosts diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes new file mode 100644 index 0000000..8087a90 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes @@ -0,0 +1,46 @@ +user ALL=(ALL) NOPASSWD: ALL + +# WTF?! Have you lost your mind?! +# +# In Qubes VMs there is no point in isolating the root account from +# the user account. This is because all the user data are already +# accessible from the user account, so there is no direct benefit for +# the attacker if she could escalate to root (there is even no benefit +# in trying to install some persistent rootkits, as the VM's root +# filesystem modifications are lost upon each start of a VM). +# +# One might argue that some hypothetical attacks against the +# hypervisor or the few daemons/backends in Dom0 (so VM escape +# attacks) most likely would require root access in the VM to trigger +# the attack. +# +# That's true, but mere existence of such a bug in the hypervisor or +# Dom0 that could be exploited by a malicious VM, no matter whether +# requiring user, root, or even kernel access in the VM, would be +# FATAL. In such situation (if there was such a bug in Xen) there +# really is no comforting that: "oh, but the mitigating factor was +# that the attacker needed root in VM!" We're not M$, and we're not +# gonna BS our users that there are mitigating factors in that case, +# and for sure, root/user isolation is not a mitigating factor. +# +# Because, really, if somebody could find and exploit a bug in the Xen +# hypervisor -- so far there have been only one (!) publicly disclosed +# exploitable bug in the Xen hypervisor from a VM, found in 2008, +# incidentally by one of the Qubes developers (RW) -- then it would be +# highly unlikely if that person couldn't also found a user-to-root +# escalation in VM (which as we know from history of UNIX/Linux +# happens all the time). +# +# At the same time allowing for easy user-to-root escalation in a VM +# is simply convenient for users, especially for update installation. +# +# Currently this still doesn't work as expected, because some idotic +# piece of software called PolKit uses own set of policies. We're +# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a +# simple experiment: start 'xinput test' in one xterm, running as +# user, then open some app that uses PolKit and asks for root +# password, e.g. gpk-update-viewer -- observe how all the keystrokes +# with root password you enter into the "secure" PolKit dialog box can +# be seen by the xinput program...) +# +# joanna. diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 36e22f0..1825da1 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -267,13 +267,22 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then } # Change hostname to 'host' - debug "Whonix change host" - echo "host" > "$INSTALLDIR/etc/hostname" - chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts - - if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then - cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" - fi + #debug "Whonix change host" + #echo "host" > "$INSTALLDIR/etc/hostname" + #chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts + + #if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then + # cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" + #fi + + # ------------------------------------------------------------------------------ + # Copy over any extra files + # XXX: Moved to 02_install_groups_packages_installed.sh + # ------------------------------------------------------------------------------ + copyTree "extra-whonix-files" + + # XXX: Temp debug to see if it copied over files okay + #exit 1 # -------------------------------------------------------------------------- # Install Whonix system diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index b69a760..0429da7 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -47,8 +47,9 @@ fi # ------------------------------------------------------------------------------ # Copy over any extra files +# XXX: Moved to 02_install_groups_packages_installed.sh # ------------------------------------------------------------------------------ -copyTree "extra-whonix-files" +#copyTree "extra-whonix-files" # ------------------------------------------------------------------------------ # Cleanup Whonix Installation diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index acf4ebe..c8327e4 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -1,3 +1,13 @@ +gnome-terminal +locales +sudo +dmsetup +psmisc +ncurses-term +xserver-xorg-core +x11-xserver-utils +xinit + git curl sudo