From d6d22e875e8e4a583e027ee436629de107a9b156 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 4 Nov 2014 00:01:13 -0500 Subject: [PATCH] whonix: Added ability to be able to update templates via tor proxy. Firewall rules not working yet on gateway --- .../files/usr/lib/whonix/qubes-whonixsetup | 2 +- .../wheezy+whonix-workstation/files/.facl | 28 +++- .../files/usr/lib/whonix/qubes-whonixsetup | 2 +- .../files/usr/lib/whonix/tests.sh | 95 ----------- .../02_install_groups_packages_installed.sh | 9 +- ...groups_packages_installed.sh.build-steps.d | 157 ------------------ .../wheezy+whonix/packages_wheezy.list | 11 -- 7 files changed, 27 insertions(+), 277 deletions(-) delete mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh delete mode 100755 scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 49dff91..814af62 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - sudo /sbin/poweroff + #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index bfdec11..d173e0d 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -33,6 +33,27 @@ user::rw- group::r-- other::r-- +# file: etc/xdg +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -117,13 +138,6 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/tests.sh -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - # file: usr/lib/whonix/messages.yaml # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index 49dff91..814af62 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - sudo /sbin/poweroff + #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh deleted file mode 100755 index 6570b49..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" -#disable_sysv tor -#disable_sysv sdwdate - -iptables -F -iptables -t nat -F - -LOG_IP4=1 -LOG_IP6=0 - -# for IPv4 -if [ "$LOG_IP4" == "1" ]; then - iptables -t raw -A OUTPUT -p icmp -j TRACE - iptables -t raw -A PREROUTING -p icmp -j TRACE - modprobe ipt_LOG -fi - -# for IPv6 -if [ "$LOG_IP6" == "1" ]; then - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE - modprobe ip6t_LOG -fi - -sysctl -w net.ipv4.ip_forward=1 - -iptables -A FORWARD -i eth0 -j ACCEPT -iptables -A FORWARD -o eth0 -j ACCEPT -iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -o lo -j ACCEPT - -#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" -#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" - -#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 - -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 - -# Works -# localhost/loopback maps localhost port 8082 to localhost port 8888 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 - -# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 - -# Remap ALL traffic -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 - -#iptables -v -L -#iptables -v -t nat -L -#telnet 127.0.0.1 9105 -#telnet 10.137.2.1 8082 -#telnet 127.0.0.1 8082 -#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 2416fb6..0a92070 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -34,10 +34,9 @@ if [ "${SNAPSHOT}" == "1" ]; then fi # ------------------------------------------------------------------------------ -# chroot Whonix build script (Make sure set -e is not set) +# chroot Whonix build script # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' - +read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true ################################################################################ # Pre Fixups sudo mkdir -p /boot/grub2 @@ -82,7 +81,7 @@ EOF # ------------------------------------------------------------------------------ # Pin grub so it won't install # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PIN <<'EOF' +read -r -d '' WHONIX_APT_PIN <<'EOF' || true Package: grub-pc Pin: version * Pin-Priority: -100 @@ -103,7 +102,7 @@ EOF # ------------------------------------------------------------------------------ # Set defualts for apt not to install recommended or extra packages # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' +read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true Acquire::Languages "none"; APT::Install-Recommends "false"; APT::Install-Suggests "false"; diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d deleted file mode 100755 index 8cd88f0..0000000 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# ------------------------------------------------------------------------------ -# Source external scripts -# ------------------------------------------------------------------------------ -. ${SCRIPTSDIR}/vars.sh -. ./umount_kill.sh >/dev/null - -# ------------------------------------------------------------------------------ -# Configurations -# ------------------------------------------------------------------------------ -if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then - set -x -else - set -e -fi - -# ------------------------------------------------------------------------------ -# XXX: Create a snapshot - Only for DEBUGGING! -# ------------------------------------------------------------------------------ -# Only execute if SNAPSHOT is set -if [ "${SNAPSHOT}" == "1" ]; then - splitPath "${IMG}" path_parts - PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" - - if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then - umount_kill "${INSTALLDIR}" || : - warn "Copying ${IMG} to ${PREPARED_IMG}" - cp -f "${IMG}" "${PREPARED_IMG}" - mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 - for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done - fi -fi - -# ------------------------------------------------------------------------------ -# Set defualts for apt not to install recommended or extra packages -# ------------------------------------------------------------------------------ -#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' -#Acquire::Languages "none"; -#APT::Install-Recommends "false"; -#APT::Install-Suggests "false"; -#Dpkg::Options "--force-confold"; -#EOF - -# ------------------------------------------------------------------------------ -# Cleanup function -# ------------------------------------------------------------------------------ -function cleanup() { - error "Whonix error; umounting ${INSTALLDIR} to prevent further writes" - umount_kill "${INSTALLDIR}" || : - exit 1 -} -trap cleanup ERR -trap cleanup EXIT - -# ------------------------------------------------------------------------------ -# Mount devices, etc required for Whonix installation -# ------------------------------------------------------------------------------ -if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then - info "Preparing Whonix system" - - # -------------------------------------------------------------------------- - # Qubes needs a user named 'user' - # -------------------------------------------------------------------------- - debug "Whonix Add user" - chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ - { - chroot "${INSTALLDIR}" groupadd -f user - chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user - } - - # ------------------------------------------------------------------------------ - # Copy over any extra files - # ------------------------------------------------------------------------------ - copyTree "files" - - touch "${INSTALLDIR}/tmp/.whonix_prepared" -fi - -# ------------------------------------------------------------------------------ -# Install Whonix -# ------------------------------------------------------------------------------ -if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then - info "Installing Whonix system" - - # ------------------------------------------------------------------------------ - # Create Whonix mount point - # ------------------------------------------------------------------------------ - if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then - debug "Installing Whonix build environment..." - chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix' - fi - - # -------------------------------------------------------------------------- - # Install Whonix code base - # -------------------------------------------------------------------------- - if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then - debug "Building Whonix..." - mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix" - sync - sleep 1 - fi - - # ------------------------------------------------------------------------------ - # Determine type of Whonix build - # ------------------------------------------------------------------------------ - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - BUILD_TYPE="--torgateway" - elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then - BUILD_TYPE="--torworkstation" - else - error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" - error "You need to set TEMPLATE_FLAVOR environment variable to either" - error "whonix-gateway OR whonix-workstation" - exit 1 - fi - - # ------------------------------------------------------------------------------ - # Start Whonix build process - # ------------------------------------------------------------------------------ - chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } - - touch "${INSTALLDIR}/tmp/.whonix_installed" - touch "${INSTALLDIR}/tmp/.whonix_post" -fi - -# ------------------------------------------------------------------------------ -# Execute any template flavor or sub flavor scripts -# ------------------------------------------------------------------------------ -buildStep "99_custom_configuration.sh" - -# ------------------------------------------------------------------------------ -# Bring back original apt-get for installation of Qubues -# ------------------------------------------------------------------------------ -pushd "${INSTALLDIR}/usr/bin" -{ - rm -f apt-get; - cp -p apt-get.anondist-orig apt-get; -} -popd - -# ------------------------------------------------------------------------------ -# Make sure the temporary policy-rc.d to prevent apt from starting services -# on package installation is still active; Whonix may have reset it -# ------------------------------------------------------------------------------ -cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <