diff --git a/functions.sh b/functions.sh index d86543b..fa73126 100755 --- a/functions.sh +++ b/functions.sh @@ -169,6 +169,9 @@ templateNameDist() { dist_name="${dist_name:0:31}" fi fi + + # Remove and '+' characters from name since they are invalid for name + dist_name="${dist_name//+/-}" echo ${dist_name} } @@ -185,6 +188,8 @@ templateName() { local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}" + # Make sure TEMPLATE_LABEL is an array + TEMPLATE_LABEL=( ${TEMPLATE_LABEL} ) for element in "${TEMPLATE_LABEL[@]}"; do if [ "${element%:*}" == "${template_name}" ]; then template_name="${element#*:}" diff --git a/mnt/.gitignore b/mnt/.gitignore deleted file mode 100644 index e69de29..0000000 diff --git a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh index 0d4a9bb..9e0a543 100755 --- a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh @@ -26,14 +26,3 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi - -# ------------------------------------------------------------------------------ -# Remove apt-cacher-ng as it conflicts with something and is only for install -# ------------------------------------------------------------------------------ -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng - -# ------------------------------------------------------------------------------ -# Remove original sources.list. We will use one installed by Whonix now -# ------------------------------------------------------------------------------ -rm -f "${INSTALLDIR}/etc/apt/sources.list" diff --git a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh index 5dcba8e..e19d7d9 100755 --- a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh @@ -2,11 +2,29 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# whonix-netvm-gateway contains last known IP used to search and replace +# ------------------------------------------------------------------------------ +if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then + # -------------------------------------------------------------------------- + # Install Custom Configurations + # -------------------------------------------------------------------------- + echo "10.152.152.11" > "$INSTALLDIR/etc/whonix-ip" + echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" + + touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl new file mode 100644 index 0000000..9e5e47b --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -0,0 +1,112 @@ +# file: . +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/udev +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d/99-qubes-whonix.rules +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/hostname +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/sudoers.d +# owner: root +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc/sudoers.d/qubes +# owner: root +# group: root +user::r-- +group::r-- +other::--- + +# file: .facl +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: usr +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/setup-ip +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/replace-ips +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/enable-iptables-logging.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hostname b/scripts_debian/wheezy+whonix-workstation/files/etc/hostname new file mode 100644 index 0000000..c70dc2d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hostname @@ -0,0 +1 @@ +host diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts new file mode 100644 index 0000000..87b1540 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts @@ -0,0 +1,16 @@ +## Anonymity Distribution /etc/hosts + +## Defaults +127.0.0.1 host +::1 host ip6-host ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +## End of defaults + +## Anonymity Distribution specific +127.0.0.1 host.localdomain host +## End of Anonymity Distribution specific + +## End of Anonymity Distribution /etc/hosts diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes new file mode 100644 index 0000000..8087a90 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes @@ -0,0 +1,46 @@ +user ALL=(ALL) NOPASSWD: ALL + +# WTF?! Have you lost your mind?! +# +# In Qubes VMs there is no point in isolating the root account from +# the user account. This is because all the user data are already +# accessible from the user account, so there is no direct benefit for +# the attacker if she could escalate to root (there is even no benefit +# in trying to install some persistent rootkits, as the VM's root +# filesystem modifications are lost upon each start of a VM). +# +# One might argue that some hypothetical attacks against the +# hypervisor or the few daemons/backends in Dom0 (so VM escape +# attacks) most likely would require root access in the VM to trigger +# the attack. +# +# That's true, but mere existence of such a bug in the hypervisor or +# Dom0 that could be exploited by a malicious VM, no matter whether +# requiring user, root, or even kernel access in the VM, would be +# FATAL. In such situation (if there was such a bug in Xen) there +# really is no comforting that: "oh, but the mitigating factor was +# that the attacker needed root in VM!" We're not M$, and we're not +# gonna BS our users that there are mitigating factors in that case, +# and for sure, root/user isolation is not a mitigating factor. +# +# Because, really, if somebody could find and exploit a bug in the Xen +# hypervisor -- so far there have been only one (!) publicly disclosed +# exploitable bug in the Xen hypervisor from a VM, found in 2008, +# incidentally by one of the Qubes developers (RW) -- then it would be +# highly unlikely if that person couldn't also found a user-to-root +# escalation in VM (which as we know from history of UNIX/Linux +# happens all the time). +# +# At the same time allowing for easy user-to-root escalation in a VM +# is simply convenient for users, especially for update installation. +# +# Currently this still doesn't work as expected, because some idotic +# piece of software called PolKit uses own set of policies. We're +# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a +# simple experiment: start 'xinput test' in one xterm, running as +# user, then open some app that uses PolKit and asks for root +# password, e.g. gpk-update-viewer -- observe how all the keystrokes +# with root password you enter into the "secure" PolKit dialog box can +# be seen by the xinput program...) +# +# joanna. diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules new file mode 100644 index 0000000..8bcf97d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules @@ -0,0 +1 @@ +SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh new file mode 100755 index 0000000..d3a2b95 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Check /var/log/kern.log for logging results + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips new file mode 100755 index 0000000..3a43484 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -0,0 +1,88 @@ +#!/bin/bash + +# Search though files and updates IP address to the current +# 'qubes-netvm-gateway' IP address + +FILES=( + '/usr/lib/leaktest-workstation/simple_ping.py' + '/usr/lib/whonixcheck/preparation' + '/usr/share/anon-kde-streamiso/share/config/kioslaverc' + '/usr/bin/whonix_firewall' + '/etc/whonix_firewall.d/30_default' + '/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh' + '/usr/bin/uwt' + '/etc/uwt.d/30_uwt_default' + '/usr/share/tor/tor-service-defaults-torrc.anondist' + '/usr/bin/update-torbrowser' + '/etc/network/interfaces.whonix' + '/etc/resolv.conf.anondist' + '/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin' + '/etc/rinetd.conf.anondist' + '/etc/network/interfaces.whonix' + '/usr/share/anon-torchat/.torchat/torchat.ini' +) + +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="$1" + local replace="$2" + local file="$3" + local retval=1 + + if ! [ -L "${file}" ]; then + ls_attrs="$(lsattr "${file}")" + ls_attrs=${ls_attrs:4:1} + if [ "${ls_attrs}" == "i" ]; then + chattr -i "${file}" + fi + fi + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" + retval=$? + + if [ "${ls_attrs}" == "i" ]; then + chattr +i "${file}" + fi + + return $retval +} + +function replace_ips() +{ + local search_ip="${1}" + local replace_ip="${2}" + local files=("${!3}") + local replaced=0 + + # If IP is 10.152.152.10, network is 10.152.152.0 + replace_network="${replace_ip%.*}.0" + search_network="${search_ip%.*}.0" + + if ! [ "${search_ip}" == "${replace_ip}" ]; then + for file in "${files[@]}"; do + if [ -f "$file" ]; then + search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1 + search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1 + fi + done + fi + + return $replaced +} + +ip="$(xenstore-read qubes-ip)" +gateway="$(xenstore-read qubes-gateway)" + +# Compare to current IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + +# Do again; checking for original 10.152.152.11 incase of update +replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + +# Compare to current gateway IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + +# Do again; checking for original 10.152.152.10 incase of update +replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip new file mode 100755 index 0000000..d8aa2ba --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -0,0 +1,71 @@ +#!/bin/bash + +# Files that will have the immutable bit set +# since we don't want them modified by other programs +IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' +) + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + chattr -i "${file}" + rm -f "${file}" + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + elif ! [ -f "${file}" ]; then + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + fi +} + +# Make sure all .anondist files in list are immutable +immutableFilesEnable "${IMMUTABLE_FILES}" +immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + +# Make sure we are using a copy of the annondist file and if not +# copy the annondist file and set it immutable +copyAnondist "/etc/resolv.conf" +copyAnondist "/etc/hosts" +copyAnondist "/etc/hostname" + +# Replace IP addresses in known configuration files / scripts to +# currently discovered one +/usr/lib/whonix/replace-ips + +# Make sure hostname is correct +/bin/hostname -b host + +# Start Whonix Firewall +/usr/bin/whonix_firewall diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 191bdff..c3f8d3e 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -75,6 +75,8 @@ popd ################################################################################ # Post Fixups +set -e + pushd /etc/network sudo rm -f interfaces sudo ln -s interfaces.backup interfaces @@ -86,7 +88,9 @@ sudo ln -s resolv.conf.backup resolv.conf popd # Enable Tor -sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc +if [ "${1}" == "whonix-gateway" ]; then + sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc +fi # Fake that whonixsetup was already run sudo mkdir -p /var/lib/whonix/do_once @@ -107,6 +111,14 @@ sudo update-rc.d spice-vdagent disable sudo update-rc.d swap-file-creator disable sudo update-rc.d whonix-initializer disable +# Remove original sources.list +sudo rm -f /etc/apt/sources.list +sudo apt-get.anondist-orig update + +# Remove apt-cacher-ng +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + sudo apt-get.anondist-orig -y --force-yes remove apt-cacher-ng + sudo touch "/tmp/.prepared_whonix" EOF