added static host related files for whonix copy and moved copy to pre whonix install

This commit is contained in:
Jason Mehring 2014-10-22 22:38:07 -04:00
parent b4ea7f437b
commit c26d0eac1a
8 changed files with 121 additions and 9 deletions

View File

@ -294,8 +294,9 @@ buildStep() {
# 1. Change to the directory that you want to have file permissions retained
# 2. Change all the file permissions / ownership as you want
# 3. Change back to the root of the exta directory (IE: extra-qubes-files)
# 4. getfacl -R . > ".facl"
# 5. If git complains; reset file ownership back to user. The .facl file stored
# 4. Manually restore facl's: setfacl --restore=.facl
# 5. Manually create facl backup used after copying: getfacl -R . > .facl
# 6. If git complains; reset file ownership back to user. The .facl file stored
# the file permissions and will be used to reset the file permissions after
# they get copied over to $INSTALLDIR
# NOTE: Don't forget to redo this process if you add -OR- remove files

View File

@ -12,6 +12,13 @@ user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev
# owner: root
# group: root
@ -33,6 +40,27 @@ user::rw-
group::r--
other::r--
# file: etc/hostname
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/sudoers.d
# owner: root
# group: user
user::rwx
group::r-x
other::r-x
# file: etc/sudoers.d/qubes
# owner: root
# group: root
user::r--
group::r--
other::---
# file: .facl
# owner: root
# group: root

View File

@ -0,0 +1,16 @@
## Anonymity Distribution /etc/hosts
## Defaults
127.0.0.1 host
::1 host ip6-host ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
## End of defaults
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

View File

@ -0,0 +1,46 @@
user ALL=(ALL) NOPASSWD: ALL
# WTF?! Have you lost your mind?!
#
# In Qubes VMs there is no point in isolating the root account from
# the user account. This is because all the user data are already
# accessible from the user account, so there is no direct benefit for
# the attacker if she could escalate to root (there is even no benefit
# in trying to install some persistent rootkits, as the VM's root
# filesystem modifications are lost upon each start of a VM).
#
# One might argue that some hypothetical attacks against the
# hypervisor or the few daemons/backends in Dom0 (so VM escape
# attacks) most likely would require root access in the VM to trigger
# the attack.
#
# That's true, but mere existence of such a bug in the hypervisor or
# Dom0 that could be exploited by a malicious VM, no matter whether
# requiring user, root, or even kernel access in the VM, would be
# FATAL. In such situation (if there was such a bug in Xen) there
# really is no comforting that: "oh, but the mitigating factor was
# that the attacker needed root in VM!" We're not M$, and we're not
# gonna BS our users that there are mitigating factors in that case,
# and for sure, root/user isolation is not a mitigating factor.
#
# Because, really, if somebody could find and exploit a bug in the Xen
# hypervisor -- so far there have been only one (!) publicly disclosed
# exploitable bug in the Xen hypervisor from a VM, found in 2008,
# incidentally by one of the Qubes developers (RW) -- then it would be
# highly unlikely if that person couldn't also found a user-to-root
# escalation in VM (which as we know from history of UNIX/Linux
# happens all the time).
#
# At the same time allowing for easy user-to-root escalation in a VM
# is simply convenient for users, especially for update installation.
#
# Currently this still doesn't work as expected, because some idotic
# piece of software called PolKit uses own set of policies. We're
# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
# simple experiment: start 'xinput test' in one xterm, running as
# user, then open some app that uses PolKit and asks for root
# password, e.g. gpk-update-viewer -- observe how all the keystrokes
# with root password you enter into the "secure" PolKit dialog box can
# be seen by the xinput program...)
#
# joanna.

View File

@ -267,13 +267,22 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then
}
# Change hostname to 'host'
debug "Whonix change host"
echo "host" > "$INSTALLDIR/etc/hostname"
chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts
#debug "Whonix change host"
#echo "host" > "$INSTALLDIR/etc/hostname"
#chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts
if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then
cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes"
fi
#if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then
# cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes"
#fi
# ------------------------------------------------------------------------------
# Copy over any extra files
# XXX: Moved to 02_install_groups_packages_installed.sh
# ------------------------------------------------------------------------------
copyTree "extra-whonix-files"
# XXX: Temp debug to see if it copied over files okay
#exit 1
# --------------------------------------------------------------------------
# Install Whonix system

View File

@ -47,8 +47,9 @@ fi
# ------------------------------------------------------------------------------
# Copy over any extra files
# XXX: Moved to 02_install_groups_packages_installed.sh
# ------------------------------------------------------------------------------
copyTree "extra-whonix-files"
#copyTree "extra-whonix-files"
# ------------------------------------------------------------------------------
# Cleanup Whonix Installation

View File

@ -1,3 +1,13 @@
gnome-terminal
locales
sudo
dmsetup
psmisc
ncurses-term
xserver-xorg-core
x11-xserver-utils
xinit
git
curl
sudo