Commit 8c7d85c0 authored by Tails developers's avatar Tails developers

Merge branch 'devel' into doc/improve_bug_reporting_workflow

Conflicts:
	wiki/src/doc/first_steps.index.de.po
	wiki/src/doc/first_steps.index.es.po
	wiki/src/doc/first_steps.index.fr.po
	wiki/src/doc/first_steps.index.pt.po
	wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop.de.po
	wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop.es.po
	wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop.fr.po
	wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop.pt.po
	wiki/src/support/found_a_problem.fr.po
	wiki/src/support/known_issues.de.po
	wiki/src/support/known_issues.es.po
	wiki/src/support/known_issues.fr.po
	wiki/src/support/known_issues.pt.po
parents e6d46cce 75c049a4
......@@ -51,6 +51,7 @@ echo "POTFILES_DOT_IN='$(
chmod -R go+rX config/binary_local-includes/
chmod -R go+rX config/chroot_local-includes/etc
chmod 0440 config/chroot_local-includes/etc/sudoers.d/*
chmod go+rX config/chroot_local-includes/home
chmod go+rX config/chroot_local-includes/lib
chmod go+rX config/chroot_local-includes/lib/live
chmod -R go+rx config/chroot_local-includes/lib/live/config
......
......@@ -376,6 +376,10 @@ Package: *
Pin: release o=Debian,n=squeeze-updates
Pin-Priority: 990
Package: *
Pin: release o=Debian,n=squeeze-proposed-updates
Pin-Priority: 990
Package: *
Pin: release o=Debian,n=squeeze
Pin-Priority: 900
......
#!/bin/sh
set -e
# Create the tails-persistence-setup user.
#
# The tails-persistence-setup program may be run as this user.
# This allows us to give it special privileges (e.g. access via udisk
# to internal disks and to the boot medium) that we don't want to give
# to the desktop user.
echo "creating the tails-persistence-setup user"
adduser --system --quiet --group --no-create-home tails-persistence-setup
#!/bin/sh
set -e
# Create the vidalia user.
#
# We run vidalia under this user,
# which belongs to the debian-tor group.
echo "creating the vidalia user"
adduser --system --quiet --group --no-create-home vidalia
adduser vidalia debian-tor
chown -R vidalia:vidalia /home/vidalia
......@@ -7,6 +7,8 @@ echo "Removing unwanted files"
# Get POTFILES_DOT_IN
. /usr/share/amnesia/build/variables
rm /usr/share/applications/vidalia.desktop
rm /usr/share/icons/gnome/icon-theme.cache
rm -r \
......@@ -15,16 +17,7 @@ rm -r \
rm -r /usr/share/amnesia/packages
# Ease transition to "stop shipping bugs/ and todo/ in ISO images"
# This is for people who have a too-clever caching build setup that
# goes on shipping files foverer as long as it has built them once.
rm -rf /usr/share/doc/tails/website/blueprint/ \
/usr/share/doc/tails/website/bugs/ \
/usr/share/doc/tails/website/todo/ \
/usr/share/doc/tails/website/bugs.html \
/usr/share/doc/tails/website/todo.html \
/usr/share/doc/tails/website/wishlist.html \
/usr/share/doc/tails/website/contribute/roadmap.html
rm -rf /usr/share/doc/tails/website/blueprint/
find /usr/share/doc -type f -name changelog.gz -exec rm "{}" \;
find /usr/share/doc -type f -name changelog.Debian.gz -exec rm "{}" \;
......
......@@ -6,10 +6,10 @@
<UpdateInterval>3</UpdateInterval>
<UpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage_ff_secure_en.src</UpdateUrl>
<IconUpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage.png</IconUpdateUrl>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/search">
<os:Url type="text/html" method="POST" template="https://startpage.com/rto/search">
<os:Param name="query" value="{searchTerms}"/>
<os:Param name="cat" value="web"/>
<os:Param name="pl" value="ff"/>
<os:Param name="language" value="english"/>
</os:Url>
</SearchPlugin>
\ No newline at end of file
</SearchPlugin>
LIVE_USER_DEFAULT_GROUPS="audio cdrom dialout floppy video plugdev netdev powerdev fuse debian-tor scanner lp lpadmin vboxsf"
LIVE_USER_DEFAULT_GROUPS="audio cdrom dialout floppy video plugdev netdev powerdev fuse scanner lp lpadmin vboxsf"
[Modify storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks.change
ResultAny=yes
[Modify internal storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks.change-system-internal
ResultAny=yes
[Mount storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks.filesystem-mount
ResultAny=yes
[Mount internal storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks.filesystem-mount-system-internal
ResultAny=yes
[Unlock encrypted storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks.luks-unlock
ResultAny=yes
......@@ -2,9 +2,11 @@ keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/etc/ssl/certs/sks-keyservers.netCA.pem
keyserver-options http-proxy=http://127.0.0.1:8118/ no-honor-keyserver-url
personal-cipher-preferences AES256,AES192,AES,CAST5
personal-digest-preferences SHA512,SHA384,SHA256
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
use-agent
no-auto-key-locate
no-emit-version
Cmnd_Alias PERSISTENCE_SETUP = /usr/bin/tails-persistence-setup "", /usr/bin/tails-persistence-setup --step delete
amnesia ALL = (tails-persistence-setup) NOPASSWD: PERSISTENCE_SETUP
tails-persistence-setup ALL = (root) NOPASSWD: /usr/bin/tails-fix-persistent-volume-permissions
SUBSYSTEM!="block", GOTO="bilibop_end"
ACTION!="add|change", GOTO="bilibop_end"
KERNEL!="sd?*|mmcblk?*|mspblk?*", GOTO="bilibop_end"
SUBSYSTEMS=="usb|firewire|memstick|mmc", \
PROGRAM=="/lib/bilibop/test $tempnode", \
ENV{UDISKS_SYSTEM_INTERNAL}:="1", \
GROUP:="disk", \
GOTO="bilibop_disk"
GOTO="bilibop_end"
LABEL="bilibop_disk"
KERNEL=="sd?|mmcblk?|mspblk?", \
ENV{ID_DRIVE_DETACHABLE}:="0", \
SYMLINK+="TailsBootDev"
LABEL="bilibop_end"
[Desktop Entry]
Name=tails-warn-about-persistence-migration
GenericName=Warn when unmigrated persistence settings are left
Version=1.0
Exec=/usr/local/bin/tails-warn-about-persistence-migration
Terminal=false
Type=Application
NoDisplay=true
Categories=Application;Utility
#!/bin/sh
set -e
RUN_AS_USER=tails-persistence-setup
xhost +SI:localuser:"$RUN_AS_USER"
gksudo -u "$RUN_AS_USER" "/usr/bin/tails-persistence-setup --step delete"
xhost -SI:localuser:"$RUN_AS_USER"
#!/bin/sh
set -e
RUN_AS_USER=tails-persistence-setup
xhost +SI:localuser:"$RUN_AS_USER"
gksudo -u "$RUN_AS_USER" /usr/bin/tails-persistence-setup
xhost -SI:localuser:"$RUN_AS_USER"
#! /usr/bin/perl
use strict;
use warnings FATAL => 'all';
use 5.10.1;
use autodie qw{:all};
use Desktop::Notify;
use Locale::gettext;
use POSIX;
use Path::Class;
use String::Errf qw{errf};
setlocale(LC_MESSAGES, "");
textdomain("tails");
=head1 Functions
=head2 current_lang
Returns the two-letters language code of the current session.
=cut
sub current_lang {
my ($code) = ($ENV{LANG} =~ m/([a-z]{2}).*/);
return $code;
}
=head2 doc_url
Returns the best local URL to a given piece of doc.
=cut
sub doc_url {
my $website_root = shift;
my $doc_resource = shift;
my @try_files = (
file($website_root, $doc_resource . "." . current_lang() . ".html" ),
file($website_root, $doc_resource . ".en.html" ),
);
foreach my $file (@try_files) {
return "file://$file" if -e $file;
}
return;
}
=head1 Main
=cut
my @disabled_files = (
glob('/live/persistence/*_unlocked/live-additional-software.conf.disabled'),
glob('/live/persistence/*_unlocked/live-persistence.conf.old'),
);
exit 0 unless @disabled_files;
my $website_root = '/usr/share/doc/tails/website';
my $doc_resource = 'doc/first_steps/persistence/upgrade';
my $doc_url = doc_url($website_root, $doc_resource)
or die "Could not find best URL for '$doc_resource' at '$website_root'";
my $notify = Desktop::Notify->new();
my $summary = gettext(q{Some persistence settings were temporarily disabled});
my $body = errf(
gettext(
"%{disabled_conf_files}s\n"
. "<a href='%{doc_url}s'>Learn how to enable them again.</a>"
),
{
disabled_conf_files => join(', ', @disabled_files),
doc_url => $doc_url,
},
);
$notify->create(
summary => $summary,
body => $body,
timeout => 0
)->show();
#! /bin/sh
ARGS=
if grep -qw bridge /proc/cmdline; then
ARGS='-bridgeconf'
fi
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
until pgrep -u "${LIVE_USERNAME}" nm-applet >/dev/null ; do
sleep 5
done
lckdo /var/lock/vidalia.amnesia /usr/bin/vidalia $ARGS
......@@ -14,7 +14,7 @@ error ()
# and now initialized by live-boot in a file that we certainly
# don't want to source.
export persistence_list="persistence.conf"
export old_persistence_list="live-persistence.conf"
export old_persistence_list="nonexistent"
# This will import the following functions and variables used below:
# activate_custom_mounts()
......@@ -184,6 +184,42 @@ list_gpt_volumes ()
exit 0
}
mountpoint_has_correct_access_rights ()
{
local mountpoint="$1"
local expected_user=root
local expected_group=root
local expected_perms=775
local expected_acl="user::rwx
user:tails-persistence-setup:rwx
group::rwx
mask::rwx
other::r-x"
if [ $(stat -c %U "$mountpoint") != "$expected_user" ]
then
warning "'$mountpoint' is not owned by the '$expected_user' user"
return 1
fi
if [ $(stat -c %G "$mountpoint") != "$expected_group" ]
then
warning "'$mountpoint' is not owned by the '$expected_group' group"
return 2
fi
if [ $(stat -c %a "$mountpoint") != "$expected_perms" ]
then
warning "'$mountpoint' permissions are not $expected_perms"
return 4
fi
if [ "$(getfacl --omit-header --skip-base "$f" 2>/dev/null | grep -v '^\s*$')"
!= "$expected_acl" ]
then
warning "'$mountpoint' has incorrect ACL"
return 8
fi
return 0
}
activate_volumes ()
{
local volumes=${@}
......@@ -227,6 +263,116 @@ activate_volumes ()
custom_mounts="$(mktemp /tmp/custom_mounts-XXXXXX.list)"
get_custom_mounts ${custom_mounts} ${open_volumes}
# ... and now the persistent volumes should be mounted.
# Enable the acl mount option on all persistent filesystems.
for mountpoint in $(ls -d /live/persistence/*_unlocked || true)
do
mount -o remount,acl "$mountpoint"
done
# Detect if we have incorrect ownership, permissions and ACL.
ACCESS_RIGHTS_WERE_CORRECT=true
for mountpoint in $(ls -d /live/persistence/*_unlocked || true)
do
if ! mountpoint_has_correct_access_rights "$mountpoint"
then
ACCESS_RIGHTS_WERE_CORRECT=false
break
fi
done
# Migrate:
# * if live-persistence.conf exists;
# * unless correct ownership and permissions, too:
# else, a non-root attacker could trivially block the
# migration by creating persistence.conf in advance. Note that
# a root attacker can still block the migration by setting the
# correct permissions in advance, but there is no way we detect this.
if [ "$ACCESS_RIGHTS_WERE_CORRECT" != true ] ||
ls /live/persistence/*_unlocked/live-persistence.conf >/dev/null 2>&1
then
if [ "$PERSISTENCE_READONLY" = true ]
then
error "Persistence configuration needs to be migrated, but read-only was selected; please retry in read-write mode"
fi
# Set correct ownership, permissions and ACLs on the filesystems root.
chown root:root /live/persistence/*_unlocked \
|| error "Could not chown /live/persistence/*_unlocked: $?"
chmod 0775 /live/persistence/*_unlocked \
|| error "Could not chmod /live/persistence/*_unlocked: $?"
setfacl -b /live/persistence/*_unlocked \
|| error "Could not clear ACL on /live/persistence/*_unlocked: $?"
setfacl -m user:tails-persistence-setup:rwx /live/persistence/*_unlocked \
|| error "Could not set ACL on /live/persistence/*_unlocked: $?"
# Disable live-additional-software.conf if needed.
if [ "$ACCESS_RIGHTS_WERE_CORRECT" != true ]
then
for f in $(ls /live/persistence/*_unlocked/live-additional-software.conf || true)
do
mv "$f" "${f}.disabled" \
|| error "Failed to disable unsafe '$f': $?"
install --owner tails-persistence-setup \
--group tails-persistence-setup --mode 0600 \
/dev/null "$f" \
|| error "Failed to create empty '$f': $?"
done
fi
# Migrate known-safe settings from old configuration to new one.
for old_conf in $(ls /live/persistence/*_unlocked/live-persistence.conf || true)
do
new_conf=$(dirname "$old_conf")/persistence.conf
if [ -e "$new_conf" ]
then
if [ "$ACCESS_RIGHTS_WERE_CORRECT" = true ]
then
warning "'$new_conf' already exists, skipping"
continue
else
# Let's handle the case when an attacker
# tries to block the migration by creating
# persistence.conf in advance.
warning "'$new_conf' already exists. It should not, moving it out of the way"
mv "$new_conf" "${new_conf}.old" \
|| error "Failed to rename $new_conf to ${new_conf}.old: $?"
fi
fi
install --owner tails-persistence-setup \
--group tails-persistence-setup --mode 0600 \
/dev/null "${new_conf}.new" \
|| error "Failed to create empty '${new_conf}.new': $?"
grep -E --line-regexp \
-e '/etc/cups\s+source=cups-configuration' \
-e '/home/amnesia\s+source=dotfiles,link' \
-e '/home/amnesia/Persistent\s+source=Persistent' \
-e '/home/amnesia/\.gnupg\s+source=gnupg' \
-e '/home/amnesia/\.ssh\s+source=openssh-client' \
-e '/home/amnesia/\.purple\s+source=pidgin' \
-e '/home/amnesia/\.claws-mail\s+source=claws-mail' \
-e '/home/amnesia/\.gnome2/keyrings\s+source=gnome-keyrings' \
-e '/home/amnesia/\.gconf/system/networking/connections\s+source=nm-connections' \
-e '/home/amnesia/\.mozilla/firefox/bookmarks\s+source=bookmarks' \
-e '/var/cache/apt/archives\s+source=apt/cache' \
-e '/var/lib/apt/lists\s+source=apt/lists' \
"$old_conf" > "${new_conf}.new" \
|| error "Failed to import safe persistent settings into '${new_conf}.new': $?"
mv "${new_conf}.new" "$new_conf" \
|| error "Failed to rename '${new_conf}.new' to '$new_conf': $?"
if [ $(wc -l "$old_conf" | awk '{print $1}') -eq $(wc -l "$new_conf" | awk '{print $1}') ]
then
warning "Fully imported '$old_conf' into '$new_conf'"
rm "$old_conf" \
|| error "Failed to delete old_conf: $?"
else
warning "Partially imported '$old_conf' into '$new_conf'"
mv "$old_conf" "${old_conf}.old" \
|| error "Failed to rename $old_conf to ${old_conf}.old: $?"
fi
done
# Load the new persistence.conf.
get_custom_mounts ${custom_mounts} ${open_volumes}
fi
if [ -s "${custom_mounts}" ]
then
activate_custom_mounts ${custom_mounts} &> /dev/null
......
......@@ -2,12 +2,29 @@
set -e
# Get LIVE_USERNAME, whose instance we want to restart
ARGS=
if grep -qw bridge /proc/cmdline; then
ARGS='-bridgeconf'
fi
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
if killall vidalia 2> /dev/null; then
sleep 2 # give lckdo a chance to release the lockfile
fi
until pgrep -u "${LIVE_USERNAME}" nm-applet >/dev/null ; do
sleep 5
done
export DISPLAY=':0.0'
export XAUTHORITY="`echo /var/run/gdm3/auth-for-${LIVE_USERNAME}-*/database`"
exec /bin/su -c /usr/local/bin/vidalia-wrapper "${LIVE_USERNAME}" &
sudo -u ${LIVE_USERNAME} xhost +SI:localuser:vidalia
sudo -u vidalia lckdo /var/lock/vidalia vidalia -DISPLAY=${DISPLAY} ${ARGS} &
until pgrep -u vidalia vidalia >/dev/null ; do
sleep 5
done
sudo -u ${LIVE_USERNAME} xhost -SI:localuser:vidalia
......@@ -74,7 +74,9 @@ else
fi
DEV_UDEV_PATH=$(udevadm info --query path $QUERY_SELECTOR)
DEV_TYPE_LINE=$(udevadm info --query property $QUERY_SELECTOR | grep -w '^ID_TYPE')
# SD in SDIO has no ID_TYPE, let's pretend it's a disk just like USB sticks
DEV_TYPE_LINE=$(udevadm info --query property $QUERY_SELECTOR | grep -w '^ID_TYPE') \
|| DEV_TYPE_LINE='ID_TYPE=disk'
DEV_TYPE="${DEV_TYPE_LINE#*=}"
# If the world was sane we'd want to *disable* the eject lock, but it turns out
......
......@@ -47,6 +47,9 @@
<value>
<string>im_launcher</string>
</value>
<value>
<string>keepassx_launcher</string>
</value>
<value>
<string>terminal_launcher</string>
</value>
......@@ -400,6 +403,60 @@
<entry><key>objects/im_launcher/menu_path</key><schema_key>/schemas/apps/panel/objects/menu_path</schema_key></entry>
<entry><key>objects/im_launcher/action_type</key><schema_key>/schemas/apps/panel/objects/action_type</schema_key></entry>
<!-- KeePassX Launcher -->
<entry>
<key>objects/keepassx_launcher/object_type</key>
<schema_key>/schemas/apps/panel/objects/object_type</schema_key>
<value>
<string>launcher-object</string>
</value>
</entry>
<entry>
<key>objects/keepassx_launcher/toplevel_id</key>
<schema_key>/schemas/apps/panel/objects/toplevel_id</schema_key>
<value>
<string>top_panel</string>
</value>
</entry>
<entry>
<key>objects/keepassx_launcher/position</key>
<schema_key>/schemas/apps/panel/objects/position</schema_key>
<value>
<int>4</int>
</value>
</entry>
<entry>
<key>objects/keepassx_launcher/panel_right_stick</key>
<schema_key>/schemas/apps/panel/objects/panel_right_stick</schema_key>
<value>
<bool>false</bool>
</value>
</entry>
<entry>
<key>objects/keepassx_launcher/locked</key>
<schema_key>/schemas/apps/panel/objects/locked</schema_key>