Changes between Version 359 and Version 360 of doc/TorBOX/Dev/TWScript


Ignore:
Timestamp:
Sep 27, 2012, 11:39:50 PM (6 years ago)
Author:
proper
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/Dev/TWScript

    v359 v360  
    1 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX Main Article - TorBOX]
    2 Go back to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation TorBOX/Dev/BuildDocumentation]
     1TorBOX has been renamed to Whonix.
    32
    4 {{{
    5 #!/bin/bash
    6 # Needs to be bash because we use "trap ERR".
    7 # Save as /home/user/TorBOX_source/TorBOX_Workstation
    8 # Homepage: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
     3This page has been moved. The History of this page might still be interesting.
    94
    10 # Version: TorBOX 0.2.1
    11 
    12 # Copyright: proper
    13 #
    14 # License: GPL v3 or any later
    15 #
    16 # Any changes you pull changes into this source will be also licensed
    17 # under GPL v3 or any later. Additionally you grant proper the right to
    18 # re-license your work under a different license. If that is not acceptable,
    19 # you can either fork this source under GPL v3 or any later or contact proper.
    20 # Contact proper, if you require this source code under different license.
    21 
    22 script_help() {
    23 echo \
    24 "
    25 ############################################################################
    26 #       INFO                                                               #
    27 # Automatically transform a fresh minimal Ubuntu Server 12.04 into a       #
    28 # "TorBOX-Workstation"                                                     #
    29 #                                                                          #
    30 # Development version, please test and leave feedback!                     #
    31 # Read https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/DISCLAIMER #
    32 #                                                                          #
    33 #       WARNING!                                                           #
    34 # Only run on an unmodified Ubuntu installation inside a Virtual Machine.  #
    35 # WARNING! Currently only -install is tested!                              #
    36 #                                                                          #
    37 #       ASSUMPTIONS                                                        #
    38 # 1) You use Ubuntu                                                        #
    39 # 2) The main username is "user"                                           #
    40 # (search for HARDCODED! and check the variable "USERNAME")                #
    41 # 3) You are using following network settings:                             #
    42 # Your primary (and only) network interface is eth0                        #
    43 # TorBOX-Workstation IP: 192.168.0.2                                       #
    44 # TorBOX-Gateway IP: 192.168.0.1                                           #
    45 # 4) TorBOX-Workstation's build environment has a working internet         #
    46 # connection to ubuntu mirrors                                             #
    47 # 5) you read and understood the script and verified all hardcoded gpg     #
    48 # fingerprints tagged with !!!VERIFY!!!                                    #
    49 #                                                                          #
    50 #       CHOOSE ONE OF THE FOLLOWING FLAGS                                  #
    51 # Available options:                                                       #
    52 # -install                                                                 #
    53 #                                                                          #
    54 # -update                                                                  #
    55 # WARNING! This will overwrite all your Browser settings                   #
    56 #                                                                          #
    57 # -xchat                                                                   #
    58 # Use this, if you want to unlink your previous activities on IRC with     #
    59 # XChat. The XChat configuration folder with your old identity gets        #
    60 # deleted and you can create a new pseudonym.                              #
    61 # WARNING This terminates XChat and deletes your old settings!             #
    62 #                                                                          #
    63 # -hiddenserver                                                            #
    64 # Installs and configures lighttp. Hidden service has also to be activated #
    65 # on TorBOX-Gateway, see TorBOX-Gateway script for more information.       #
    66 # You need to put your website into /var/www.                              #
    67 #                                                                          #
    68 # -uwt                                                                     #
    69 # Installs the latest uwt wrapper script and the latest uwt wrappers and   #
    70 # updates extensions.torbutton.banned_ports.                               #
    71 # https://trac.torproject.org/projects/tor/wiki/doc/torsocks               #
    72 #                                                                          #
    73 # -update-torbrowser                                                       #
    74 # Note: you can run this without root.                                     #
    75 # Updates only Tor Browser.                                                #
    76 # If you are a TorBOX user, you should only run this if you recently       #
    77 # issues -update. Otherwise, if you just want to install/update            #
    78 # TorBrowser, do not use -update.                                          #
    79 #                                                                          #
    80 # -uninstall                                                               #
    81 # undo *most* of the changes made by the script                            #
    82 # WARNING! Make a backup of all files and settings you want to keep        #       
    83 # This will probably delete important things, you have been warned.        #
    84 ############################################################################
    85 # NOTE FOR ADVANCED USERS
    86 # NOTE FOR DEBUGGING
    87 # NOTE FOR CONTRIBUTORS
    88 # Same comments as under
    89 # https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/TGScript
    90 # apply.
    91 # Search for TODO in the script and help us fix them.
    92 "
    93 }
    94 ######################################################
    95 # List of modified system files. Not all of them are backed up/restored by -uninstall
    96 ######################################################
    97 # Modified:
    98 # /etc/apt/sources.list
    99 # /etc/localtime
    100 # /etc/fonts/conf.d/10-sub-pixel-rgb.conf
    101 # /etc/init/tty6.conf
    102 # /etc/sudoers
    103 # /etc/resolv.conf
    104 # /etc/network/interfaces
    105 # /etc/fstab
    106 # - /etc/fstab.old Does not get restored. Would break boot, since uuids changed.
    107 # /var/lib/dbus/machine-id
    108 # - /etc/fstab.old Does not get restored. Would break boot, since uuids changed.
    109 # .gnupg/gpg.conf
    110 # ./tor-browser_en-US/Data/profile/user.js
    111 #
    112 # New:
    113 # .config/openbox/menu.xml
    114 # /etc/torboxfirewall.sh
    115 # /usr/share/leaktest/
    116 # /usr/local/bin/leaktest
    117 # /usr/local/bin/torcheck
    118 
    119 ############################################################################
    120 # SCRIPT STARTS HERE
    121 ############################################################################
    122 
    123 # TODO [0.3]
    124 # Items marked with SPLITOFF are subject to be moved in their own files.
    125 # Open for discussion.
    126 
    127 ######################################################
    128 # Variables
    129 ######################################################
    130 # Set the linux username.
    131 # "export USERNAME=$(whoami)" will not work, since the
    132 # script gets, in most cases, started as root.
    133 USERNAME="user"
    134 
    135 # change to home dir so relative paths work correctly
    136 cd /home/$USERNAME
    137 
    138 # Unattended (un)installation of packages.
    139 # Thanks to http://snowulf.com/2008/12/04/truly-non-interactive-unattended-apt-get-install/
    140 export DEBIAN_FRONTEND=noninteractive
    141 
    142 
    143 
    144 error_handler() {
    145 echo "
    146 ##################################################
    147 # TorBOX_Workstation script: ERROR detected.     #
    148 # Do not worry. Provable nothing serious.        #
    149 # The error_handler is still a toothless tiger.  #
    150 # In long term a trap function will be           #
    151 # implemented. This simply helps devs to add the #
    152 # necessary overriding. After that is done, this #
    153 # text will be changed and the script will       #
    154 # really stop.                                   #
    155 ##################################################
    156 "
    157 }
    158 
    159 trap "error_handler" ERR INT TERM
    160 
    161 
    162 
    163 root_check() {
    164 ######################################################
    165 # Checking script environment
    166 ######################################################
    167 # Check if we are root
    168   if [ "$(id -u)" != "0" ]; then
    169        echo "ERROR: This must be run as root (sudo)!"
    170        exit 1
    171   else
    172        echo "INFO: Script running as root."
    173   fi
    174 }
    175 
    176 
    177 
    178 set_dbusmachineid() {
    179 echo "
    180 ######################################################
    181 # Set generic UUIDs
    182 ######################################################
    183 "
    184 echo "b08dfa6083e7567a1921a715000001fb" > /var/lib/dbus/machine-id
    185 }
    186 
    187 
    188 
    189 create_fix_sources_list() {
    190 # This function is required because preseed without network connection will mess up
    191 # /etc/apt/sources.list.
    192 
    193 echo "
    194 # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
    195 # newer versions of the distribution.
    196 deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted
    197 deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted
    198 
    199 ## Major bug fix updates produced after the final release of the
    200 ## distribution.
    201 deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted
    202 deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted
    203 
    204 ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    205 ## team. Also, please note that software in universe WILL NOT receive any
    206 ## review or updates from the Ubuntu security team.
    207 deb http://us.archive.ubuntu.com/ubuntu/ precise universe
    208 deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
    209 deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
    210 deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
    211 
    212 ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    213 ## team, and may not be under a free licence. Please satisfy yourself as to
    214 ## your rights to use the software. Also, please note that software in
    215 ## multiverse WILL NOT receive any review or updates from the Ubuntu
    216 ## security team.
    217 deb http://us.archive.ubuntu.com/ubuntu/ precise multiverse
    218 deb-src http://us.archive.ubuntu.com/ubuntu/ precise multiverse
    219 deb http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
    220 deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
    221 
    222 ## N.B. software from this repository may not have been tested as
    223 ## extensively as that contained in the main release, although it includes
    224 ## newer versions of some applications which may provide useful features.
    225 ## Also, please note that software in backports WILL NOT receive any review
    226 ## or updates from the Ubuntu security team.
    227 deb http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
    228 deb-src http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
    229 
    230 deb http://security.ubuntu.com/ubuntu precise-security main restricted
    231 deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
    232 deb http://security.ubuntu.com/ubuntu precise-security universe
    233 deb-src http://security.ubuntu.com/ubuntu precise-security universe
    234 deb http://security.ubuntu.com/ubuntu precise-security multiverse
    235 deb-src http://security.ubuntu.com/ubuntu precise-security multiverse
    236 
    237 ## Uncomment the following two lines to add software from Canonical's
    238 ## 'partner' repository.
    239 ## This software is not part of Ubuntu, but is offered by Canonical and the
    240 ## respective vendors as a service to Ubuntu users.
    241 # deb http://archive.canonical.com/ubuntu precise partner
    242 # deb-src http://archive.canonical.com/ubuntu precise partner
    243 
    244 ## Uncomment the following two lines to add software from Ubuntu's
    245 ## 'extras' repository.
    246 ## This software is not part of Ubuntu, but is offered by third-party
    247 ## developers who want to ship their latest software.
    248 # deb http://extras.ubuntu.com/ubuntu precise main
    249 # deb-src http://extras.ubuntu.com/ubuntu precise main
    250 " > /etc/apt/sources.list
    251 }
    252 
    253 
    254 
    255 apt_get() {
    256 echo "
    257 ######################################################
    258 # Updating system, removing problematic software
    259 ######################################################
    260 "
    261 
    262 echo "INFO: Updating system..."
    263 apt-get update && apt-get --yes dist-upgrade
    264 
    265 echo "INFO: Removing problematic software..."
    266 apt-get --yes remove --purge ntpdate popularity-contest resolvconf
    267 
    268 
    269 # build-essential is required to patch torsocks.
    270 echo "INFO: Installing required software..."
    271 apt-get --yes install --no-install-recommends nano wget gnupg ed torsocks mingetty build-essential dbus
    272 }
    273 
    274 
    275 
    276 config_grub() {
    277 echo "
    278 ######################################################
    279 # config_grub
    280 ######################################################
    281 "
    282 echo "
    283 GRUB_TERMINAL=console
    284 " > /etc/default/grub
    285 
    286 update-grub2
    287 }
    288 
    289 
    290 
    291 base_desktop() {
    292 echo "
    293 ######################################################
    294 # Installing base desktop
    295 ######################################################
    296 "
    297 
    298 apt-get --yes install --no-install-recommends xserver-xorg xinit openbox obmenu pcmanfm evince \
    299 libasound2 file-roller xchat gpicview gnome-mplayer tint2 unrar-free alsa alsa-utils \
    300 mplayer leafpad gnome-terminal zenity
    301 
    302 # no longer needed: rxvt-unicode
    303 
    304 # We should install the following at some later point...
    305 # - Thunderbird with TorBirdy, once no longer experimental.
    306 # - Pidgin, once torproject.org solved the remaining issues.
    307 # - Pidgin OTR
    308 # - Pidgin TorChat https://github.com/prof7bit/TorChat
    309 }
    310 
    311 
    312 
    313 config_audio() {
    314 echo "
    315 ######################################################
    316 # Set up audio
    317 ######################################################
    318 "
    319 
    320 usermod -a -G audio $USERNAME
    321 amixer set Master 70 unmute
    322 amixer set PCM 70 unmute
    323 }
    324 
    325 
    326 
    327 torsocks_patch() {
    328 # TODO: Do we really need to keep the source folder?
    329 # If yes, we would have to move it tor /home/$USERNAME/.torsocks-1.2.
    330 # But what if the script gets executed again? Than we would have to delete
    331 # the .torsocks-1.2 folder before. That may have unexpected side effects,
    332 # if someone was really working on the source and everything where gone.
    333 #
    334 # If someone wants to issue sudo make uninstall, source can be downloaded
    335 # again.
    336 #
    337 # If there are no objections, lets remove this todo.
    338 
    339 # Will break if torsocks gets updated.
    340 # Run as root, since T-W script also runs as root.
    341 
    342 echo "
    343 ########################
    344 # Get torsocks source
    345 ########################
    346 "
    347 
    348 # Get into temp folder.
    349 cd /tmp
    350 
    351 # Download torsocks source code.
    352 echo "INFO: Trying to download torsocks source code..."
    353 sudo -u $USERNAME apt-get source torsocks
    354 
    355 # Get into torsocks source code folder.
    356 cd /tmp/torsocks-1.2
    357 
    358 # Check if we could cd into the torsocks source code folder.
    359 # cd will return 0 if it was possible to get into that directory.
    360 if  [ "$?" != "0" ]; then
    361    # Inform about failure.
    362    echo "ERROR: Could not cd into torsocks-1.2 folder. torsocks got probable updated and torsocks_patch() is no longer necessary."
    363    # Restore working folder.
    364    cd /home/$USERNAME
    365    # Exit this function.
    366    return
    367 fi
    368 
    369 echo "INFO: Successfully joint the torsocks source code folder."
    370 
    371 echo "
    372 ########################
    373 # ./configure torsocks
    374 ########################
    375 "
    376 
    377 sudo -u $USERNAME ./configure
    378 
    379 echo "
    380 ########################
    381 # create torsocks patch
    382 ########################
    383 "
    384 
    385 # SPLITOFF /home/user/TorBOX_source/torsocks_patch
    386 # Source: https://bugs.gentoo.org/show_bug.cgi?id=395953#c7
    387 sudo -u $USERNAME echo '--- torsocks-1.2.orig//src/torsocks.c   2011-10-25 17:49:50.000000000 -0400
    388 +++ torsocks-1.2/src/torsocks.c 2012-02-21 11:09:20.000000000 -0500
    389 @@ -124,9 +124,9 @@
    390  #define LOAD_ERROR(s,l) { \
    391      const char *error; \
    392      error = dlerror(); \
    393 -    show_msg(l, "The symbol %s() was not found in any shared " \
    394 -                     "library. The error reported was: %s!\n", s, \
    395 -                     (error)?error:"not found"); \
    396 +    if (error) \
    397 +        show_msg(l, "The symbol %s() was not found in any shared " \
    398 +            "library. The error reported was: %s!\n", s, error); \
    399      dlerror(); \
    400      }
    401      pthread_mutex_lock(&torsocks_init_mutex);
    402 ' > /tmp/torsocks-1.2/torsocks_patch
    403 
    404 # Tee does not like the \n and converts them to new lines which breaks the patch.
    405 # | sudo -u $USERNAME tee
    406 
    407 # Correcting owner.
    408 chown $USERNAME torsocks_patch
    409 
    410 echo "
    411 ########################
    412 # patching torsocks
    413 ########################
    414 "
    415 
    416 sudo -u $USERNAME patch -p1 < torsocks_patch
    417 
    418 echo "
    419 ########################
    420 # make torsocks
    421 ########################
    422 "
    423 
    424 sudo -u user make
    425 
    426 echo "
    427 ########################
    428 # make install torsocks
    429 ########################
    430 "
    431 
    432 # Install as root.
    433 make install
    434 
    435 # Leave that folder.
    436 cd /home/$USERNAME
    437 
    438 # Temporary files will be delted by the slim_down function.
    439 }
    440 
    441 
    442 
    443 install_uwt() {
    444 echo "
    445 ######################################################
    446 # Installing uwt...
    447 ######################################################
    448 "
    449 
    450 # Using this until the feature to add ip/port through command line
    451 # reaches upstream torsocks, if ever. Source:
    452 # https://trac.torproject.org/projects/tor/wiki/doc/torsocks
    453 # If you make changes to uwt, please also add them "upstream"
    454 # (link above).
    455 
    456 # UPDATE 9
    457 
    458 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/uwt
    459 echo '
    460 #! /bin/sh
    461 # ***************************************************************************
    462 # *                                                                         *
    463 # *   Copyright (C) 2008-2011 Robert Hogan <robert@roberthogan.net>         *
    464 # *                                                                         *
    465 # *   This program is free software; you can redistribute it and/or modify  *
    466 # *   it under the terms of the GNU General Public License as published by  *
    467 # *   the Free Software Foundation; either version 2 of the License, or     *
    468 # *   (at your option) any later version.                                   *
    469 # *                                                                         *
    470 # *   This program is distributed in the hope that it will be useful,       *
    471 # *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
    472 # *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
    473 # *   GNU General Public License for more details.                          *
    474 # *                                                                         *
    475 # *   You should have received a copy of the GNU General Public License     *
    476 # *   along with this program; if not, write to the                         *
    477 # *   Free Software Foundation, Inc.,                                       *
    478 #*   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
    479 # ***************************************************************************
    480 # *                                                                         *
    481 # *   This is a modified version of a source file from the Tor project.     *
    482 # *   Original copyright notice from tsocks source file follows:            *
    483 # ***************************************************************************
    484 
    485 # Wrapper script for use of the tsocks(8) transparent socksification library
    486 # See the tsocks(1) and torify(1) manpages.
    487 
    488 # Copyright (c) 2004, 2006 Peter Palfrader
    489 # Modified by Jacob Appelbaum <jacob@appelbaum.net> April 16th 2006
    490 # Modified by Marcus Griep <marcus@griep.us> June 16 2009
    491 # May be distributed under the same terms as Tor itself
    492 
    493 # Note:
    494 # -v (verbose) and the UWT_VERBOSE environment variable set to 1
    495 # will break many graphical applications, which use applications,
    496 # which will call applications, which we wrapped to use uwt.
    497 
    498 # You can also type in shell:
    499 #       export UWT_VERBOSE="1"
    500 # to enable verbose output.
    501 # Note: When running applications as root, you also have to set and
    502 #       export that variable as root.
    503 
    504 # Define and ensure we have tsocks
    505 # XXX: what if we do not have which?
    506 TORSOCKS="`which torsocks`"
    507 PROG=
    508 VERBOSE=
    509 
    510 usage () {
    511         echo "Usage: $0 [-h] [-v] [ <command> [<options>...]"
    512 }
    513 
    514 set_id () {
    515         echo "ERROR: $1 is set${2}id. usewithtor will not work on a set${2}id executable." >&2
    516         exit 1
    517 }
    518 
    519 # Check for any argument list
    520 if [ "$#" = 0 ]; then
    521         usage >&2
    522         exit 1
    523 fi
    524 
    525 while [ "$1" ]; do
    526         case "$1" in
    527                 -h|--h*)
    528                         usage
    529                         exit 0
    530                         ;;
    531                 -v|--v*)
    532                         VERBOSE=YesPlease
    533                         shift
    534                         ;;
    535                 *)
    536                         break;
    537         esac
    538 done
    539 
    540 if [ -u `which "$1"` ]; then
    541         set_id $1 u
    542 elif [ -g `which "$1"` ]; then
    543         set_id $1 g
    544 fi
    545 
    546 if [ -x "$TORSOCKS" ]; then
    547         PROG=torsocks
    548 else
    549         echo "$0: Unable to find torsocks in PATH." >&2
    550         echo "    Perhaps you have not installed it?" >&2
    551         exit 1
    552 fi
    553 
    554 if [ "$VERBOSE" ]; then
    555         echo "We are armed with the following torsocks: $TORSOCKS"
    556         echo "We are attempting to use $PROG for all tor action."
    557 fi
    558 
    559 if [ "$PROG" = "torsocks" ]; then
    560         # Define our torsocks config file.
    561         # In ~ to avoid permission conflicts with root.
    562         # TODO: find a more elegant solutoin and revert back to sh script.
    563         TORSOCKS_CONF_FILE=~
    564         TORSOCKS_CONF_FILE="$TORSOCKS_CONF_FILE/.torsocks_temp"
    565         export TORSOCKS_CONF_FILE
    566 
    567         #echo "TORSOCKS_CONF_FILE: $TORSOCKS_CONF_FILE"
    568 
    569         echo "
    570                 # Temporary torsocks configuration file created by uwt.
    571                 # Safe to delete.
    572                 local = 127.0.0.0/255.128.0.0
    573                 local = 127.128.0.0/255.192.0.0
    574                 local = 169.254.0.0/255.255.0.0
    575                 local = 172.16.0.0/255.240.0.0
    576                 local = 192.168.0.0/255.255.0.0
    577                 server = $ip
    578                 server_type = 5
    579                 server_port = $port
    580         " > $TORSOCKS_CONF_FILE
    581 
    582         # Check that we have got a torsocks config file
    583         if [ -r "$TORSOCKS_CONF_FILE" ]; then
    584                 # echo "1 UWT_VERBOSE: $UWT_VERBOSE"
    585 
    586                 if [ -z $UWT_VERBOSE ]; then
    587                         # echo "UWT_VERBOSE: did not exist."
    588                         UWT_VERBOSE=0
    589                 else
    590                         if [ $UWT_VERBOSE -eq "1" ]; then
    591                                 VERBOSE=YesPlease
    592                         fi
    593                 fi
    594                 # echo "2 UWT_VERBOSE: $UWT_VERBOSE"
    595                 if [ $VERBOSE ]; then
    596                         echo "uwt"
    597                         echo "ip: $ip port: $port"
    598                 fi
    599 
    600                 UWT_LOCALHOST="0"
    601 
    602                 case "$*" in
    603                    *127.0.0.1*)
    604                       UWT_LOCALHOST="1"
    605                    ;;
    606                    *localhost*)
    607                       UWT_LOCALHOST="1"
    608                    ;;
    609                    *)
    610                       # do nothing
    611                       sleep 0
    612                    ;;
    613                 esac
    614 
    615                 if [ "$UWT_LOCALHOST" = "1" ]; then
    616                    if [ $VERBOSE ]; then
    617                       echo "UWT_LOCALHOST: $UWT_LOCALHOST NOT using torsocks."
    618                       echo "exec torsocks \"$@\""
    619                    fi
    620                    exec "$@"
    621                 else
    622                    if [ $VERBOSE ]; then
    623                       echo "UWT_LOCALHOST: $UWT_LOCALHOST USING torsocks."
    624                       echo "exec torsocks \"$@\""
    625                    fi
    626                    exec torsocks "$@"
    627                 fi
    628         else
    629                 # Since identity corelation through circuit sharing is at risk,
    630                 # we should no longer let torsocks default to 9050.
    631                 echo "$0: Missing torsocks configuration file \"$TORSOCKS_CONF_FILE\."
    632                 exit 1
    633         fi
    634 fi
    635 
    636 # We should have hit an exec. If we get here, we did not exec
    637 echo "$0: failed to exec $PROG $@" >&2
    638 exit 1
    639 # End of uwt script.
    640 ' > /usr/local/bin/uwt
    641 
    642 }
    643 
    644 
    645 
    646 install_uwt_wrappers() {
    647 ######################################################
    648 # Installing uwt wrappers
    649 ######################################################
    650 
    651 # SPLITOFF? /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/apt-get etc.
    652 
    653 # SOCKS_PORT_TB="9100"
    654 # - gui application with socks proxy settings
    655 # - no wrapper required
    656 
    657 # SOCKS_PORT_IRC="9101"
    658 # - gui application with socks proxy settings
    659 # - no wrapper required
    660 
    661 # SOCKS_PORT_TORBIRDY="9102"
    662 # - gui application with socks proxy settings
    663 # - no wrapper required
    664 # - not yet installed
    665 
    666 # SOCKS_PORT_IM="9103"
    667 # - gui application with socks proxy settings
    668 # - no wrapper required
    669 
    670 # SOCKS_PORT_APT_GET="9104"
    671 echo '
    672 #!/bin/bash
    673 ip=192.168.0.1 port=9104 uwt /usr/bin/apt-get $*
    674 ' > /usr/local/bin/apt-get
    675 
    676 # SOCKS_PORT_GPG="9105"
    677 echo '
    678 #!/bin/bash
    679 ip=192.168.0.1 port=9105 uwt /usr/bin/gpg $*
    680 ' > /usr/local/bin/gpg
    681 
    682 # SOCKS_PORT_SSH="9106"
    683 echo '
    684 #!/bin/bash
    685 ip=192.168.0.1 port=9106 uwt /usr/bin/ssh $*
    686 ' > /usr/local/bin/ssh
    687 
    688 # SOCKS_PORT_GIT="9107"
    689 echo '
    690 #!/bin/bash
    691 ip=192.168.0.1 port=9107 uwt /usr/bin/git $*
    692 ' > /usr/local/bin/git
    693 
    694 # SOCKS_PORT_HTPDATE="9108"
    695 echo '
    696 #!/bin/bash
    697 ip=192.168.0.1 port=9108 uwt /usr/bin/htpdate $*
    698 ' > /usr/local/bin/htpdate
    699 
    700 ## SOCKS_PORT_WGET="9109"
    701 #echo '
    702 ##!/bin/bash
    703 #ip=192.168.0.1 port=9109 uwt /usr/bin/wget $*
    704 #' > /usr/local/bin/wget
    705 
    706 # SOCKS_PORT_TORCHECK="9110"
    707 # - pointing uwt directly to this port
    708 # - no wrapper required
    709 
    710 # SOCKS_PORT_BITCOIN="9111"
    711 # - gui application with socks proxy settings
    712 # - not installed
    713 # - no wrapper required
    714 
    715 # SOCKS_PORT_PRIVOXY="9112"
    716 # - not installed
    717 # - no wrapper required
    718 
    719 # SOCKS_PORT_POLIPO="9113"
    720 # - not installed
    721 # - no wrapper required
    722 
    723 # More wrappers...
    724 
    725 # should be safe
    726 chmod +x /usr/local/bin/*
    727 
    728 }
    729 
    730 
    731 
    732 config_etc() {
    733 echo "
    734 ######################################################
    735 # /etc configs
    736 ######################################################
    737 "
    738 
    739 # in case we forgot to set the time during installation
    740 cp /usr/share/zoneinfo/UTC /etc/localtime
    741 
    742 # enable sub pixel rendering
    743 cp -n /etc/fonts/conf.avail/10-sub-pixel-rgb.conf /etc/fonts/conf.d/
    744 
    745 # Auto-login on tty6
    746 cp -n /etc/init/tty6.conf /etc/init/tty6.conf.backup
    747 # HARDCODED!
    748 ed -s /etc/init/tty6.conf <<< $',s/exec \/sbin\/getty -8 38400 tty6/exec \/sbin\/mingetty --autologin user --noclear tty6/g\nw'
    749 
    750 # Allow user to reboot and poweroff without having to supply a password.
    751 # Privilege escalation through backup file should not be possible because owned by root.
    752 # REVIEW: Is this OK? Race condition, syntax error detection do not apply here and we set correct permission just to make sure.
    753 cp -n /etc/sudoers /etc/sudoers.backup
    754 chmod 0440 /etc/sudoers.backup
    755 chown root /etc/sudoers.backup
    756 
    757 echo "
    758 $USERNAME $HOSTNAME=NOPASSWD: /sbin/shutdown -h now,/sbin/reboot,/sbin/poweroff
    759 " >> /etc/sudoers
    760 
    761 chmod 0440 /etc/sudoers
    762 }
    763 
    764 
    765 config_home() {
    766 echo "
    767 ######################################################
    768 # General ~/ configs
    769 ######################################################
    770 "
    771 
    772 # Create a backup of filed modified by config_home().
    773 sudo -u $USERNAME cp -n .bashrc .bashrc.backup
    774 sudo -u $USERNAME cp -n .gtkrc-2.0 .gtkrc-2.0.backup
    775 sudo -u $USERNAME cp -n .profile .profile.backup
    776 sudo -u $USERNAME cp -n .gnupg/gpg.conf .gnupg/gpg.conf.backup
    777 
    778 # Modify .bashrc to allow reboot and poweroff without sudo.
    779 echo '
    780 alias reboot="sudo reboot"
    781 alias poweroff="sudo poweroff"
    782 ' | sudo -u $USERNAME tee -a .bashrc
    783 
    784 # Set up icons for gtk2 (and theme, but I have not found a better theme yet that works both for gtk2 and 3)
    785 # (Humanity gets installed with evince)
    786 echo 'gtk-icon-theme-name="Humanity"' | sudo -u $USERNAME tee .gtkrc-2.0
    787 
    788 # TODO
    789 # Gtk3 - you probably need gnome-themes-standard
    790 # Uncommented till we decide on a theme that works across gtk2 and gtk3 apps.
    791 #sudo -u $USERNAME mkdir -p .config/gtk-3.0
    792 #echo "
    793 #[Settings]
    794 #gtk-theme-name=Adwaita
    795 #gtk-icon-theme-name=nuoveXT2
    796 #"| sudo -u $USERNAME tee .config/gtk-3.0/settings.ini
    797 
    798 # auto-start X, we do not need a display manager
    799 echo '
    800 # if logging into tty6 (which will autologin), run startx
    801 if [ -z "$DISPLAY" ] && [ $(tty) = /dev/tty6 ] ; then
    802     startx ;
    803 fi
    804 ' | sudo -u $USERNAME tee -a .profile
    805 
    806 # Fixing black on black for gnome-terminal.
    807 # Not working: gconftool-2 --set "/apps/gnome-terminal/profiles/Default/use_theme_colors" --type bool false
    808 # Thanks to: http://ubuntuforums.org/showthread.php?t=1513791
    809 sudo -u $USERNAME gconftool-2 --type string --set /apps/gnome-terminal/profiles/Default/foreground_color "#FFFFFFFFFFFF"
    810 
    811 # Run gpg at least once to create the GPG default files
    812 # gpg.conf, pubring.gpg and trustdb.gpg.
    813 # The --fingerprint option will do nothing and has been
    814 # added to let GPG terminate itself after creating the
    815 # configuration files. GPG run with no options would
    816 # result in GPG running interactively.
    817 sudo -u $USERNAME gpg --fingerprint --homedir /home/"$USERNAME"/.gnupg
    818 # Stop GPG from adding the version information.
    819 # Some further suggestions added from Debian.
    820 # http://keyring.debian.org/creating-key.html
    821 # TODO: needs review
    822 sudo -u $USERNAME echo "
    823 # TorBOX /home/user/.gnupg/gpg.conf changes.
    824 # suggestions from TorBirdy extensions.enigmail.agentAdditionalParam
    825 ##################################################################
    826 no-emit-version
    827 no-comments
    828 throw-keyids
    829 display-charset utf-8
    830 #no proxy because of uwt wrapper
    831 #keyserver-options http-proxy=http://127.0.0.1:8118
    832 keyserver hkp://2eghzlv2wwcq7u7y.onion
    833 ##################################################################
    834 
    835 personal-digest-preferences SHA512
    836 cert-digest-algo SHA512
    837 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    838 # End of TorBOX /home/user/.gnupg/gpg.conf changes.
    839 " >> /home/"$USERNAME"/.gnupg/gpg.conf
    840 }
    841 
    842 
    843 
    844 config_openbox() {
    845 echo "
    846 ######################################################
    847 # OPENBOX+TINT2
    848 ######################################################
    849 "
    850 
    851 # prepare dirs
    852 sudo -u $USERNAME mkdir -p .config/openbox
    853 sudo -u $USERNAME mkdir .config/tint2
    854 
    855 # copy default files to home. Tint2 example file is Ubuntu specific
    856 sudo -u $USERNAME cp /usr/share/doc/tint2/examples/icon_and_text_1.tint2rc /home/$USERNAME/.config/tint2/tint2rc
    857 sudo -u $USERNAME cp /etc/xdg/openbox/rc.xml .config/openbox/
    858 
    859 # Autostart for GUI applications
    860 echo "
    861 tint2 &
    862 torcheck &
    863 exec openbox-session
    864 " | sudo -u $USERNAME tee .xinitrc
    865 
    866 # Fix ugly corners in tint2rc
    867 sudo -u $USERNAME ed -s .config/tint2/tint2rc <<< $',s/rounded = 7/rounded = 0/g\nw'
    868 
    869 # maximize TorBrowser windows
    870 ( echo '/<applications>/a'; echo '<application class="Tor*" role="browser"> <maximized>yes</maximized> </application>'; echo '.'; echo 'wq') | sudo -u $USERNAME ed -s .config/openbox/rc.xml
    871 
    872 # Win+Space shows Openbox menu.
    873 ( echo '/<keyboard>/a'; echo '<keybind key="W-space"><action name="ShowMenu"><menu>root-menu</menu></action></keybind>'; echo '.'; echo 'wq') | sudo -u $USERNAME ed -s .config/openbox/rc.xml
    874 
    875 # Configure the openbox right click menu.
    876 # Note: echo may not insert a newline at the beginning,
    877 #  otherwise Openbox will complain about a phrasing error.
    878 # How to create/modify this file:
    879 #  Actually very easy. Simply use obmenu from the Openbox
    880 #  right click menu. Make changes and paste here. There is
    881 #  no need to manually edit it.
    882 
    883 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.config/openbox/menu.xml
    884 
    885 echo '<?xml version="1.0" encoding="utf-8"?>
    886 <openbox_menu xmlns="http://openbox.org/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://openbox.org/                 file:///usr/share/openbox/menu.xsd">
    887         <menu id="root-menu" label="Openbox 3">
    888                 <item label="Terminal">
    889                         <action name="Execute">
    890                                 <execute>
    891                                         x-terminal-emulator
    892                                 </execute>
    893                         </action>
    894                 </item>
    895                 <item label="TorBrowser">
    896                         <action name="Execute">
    897                                 <execute>
    898 # HARDCODED!
    899                                         /home/user/tor-browser_en-US/start-tor-browser
    900                                 </execute>
    901                         </action>
    902                 </item>
    903                 <menu id="root-menu-25943" label="TorBOX">
    904                         <item label="Check your IP (takes few seconds)">
    905                                 <action name="Execute">
    906                                         <execute>torcheck</execute>
    907                                 </action>
    908                         </item>
    909                         <item label="Tor Browser Update Check (takes few seconds)">
    910                                 <action name="Execute">
    911                                         <execute>torcheck</execute>
    912                                 </action>
    913                         </item>
    914                 </menu>
    915                 <item label="File Manager">
    916                         <action name="Execute">
    917                                 <execute>
    918                                         pcmanfm
    919                                 </execute>
    920                         </action>
    921                 </item>
    922                 <menu id="root-menu-1" label="Applications">
    923                         <item label="Archive Manager">
    924                                 <action name="Execute">
    925                                         <execute>
    926                                                 file-roller
    927                                         </execute>
    928                                 </action>
    929                         </item>
    930                         <item label="IRC Client">
    931                                 <action name="Execute">
    932                                         <execute>
    933                                                 xchat
    934                                         </execute>
    935                                 </action>
    936                         </item>
    937                         <item label="Media Player">
    938                                 <action name="Execute">
    939                                         <execute>
    940                                                 gnome-mplayer
    941                                         </execute>
    942                                 </action>
    943                         </item>
    944                         <item label="PDF Viewer">
    945                                 <action name="Execute">
    946                                         <execute>
    947                                                 evince
    948                                         </execute>
    949                                 </action>
    950                         </item>
    951                         <item label="Text Editor">
    952                                 <action name="Execute">
    953                                         <execute>
    954                                                 leafpad
    955                                         </execute>
    956                                 </action>
    957                         </item>
    958                 </menu>
    959                 <separator/>
    960                 <menu id="client-list-menu"/>
    961                 <separator/>
    962                 <item label="obmenu">
    963                         <action name="Execute">
    964                                 <execute>
    965                                         obmenu
    966                                 </execute>
    967                         </action>
    968                 </item>
    969                 <item label="Reconfigure">
    970                         <action name="Reconfigure"/>
    971                 </item>
    972                 <item label="Restart">
    973                         <action name="Restart"/>
    974                 </item>
    975                 <separator/>
    976                 <item label="Exit">
    977                         <action name="Exit"/>
    978                 </item>
    979                 <item label="Shut down">
    980                         <action name="Execute">
    981                                 <execute>
    982                                         sudo /sbin/poweroff
    983                                 </execute>
    984                         </action>
    985                 </item>
    986         </menu>
    987 </openbox_menu>
    988 ' | sudo -u $USERNAME tee .config/openbox/menu.xml
    989 }
    990 
    991 
    992 
    993 config_pcmanfm() {
    994 echo "
    995 ######################################################
    996 # PCMANFM
    997 ######################################################
    998 "
    999 
    1000 sudo -u $USERNAME mkdir -p .config/libfm/
    1001 
    1002 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.config/libfm/libfm.conf
    1003 echo '
    1004 [config]
    1005 single_click=0
    1006 use_trash=0
    1007 confirm_del=1
    1008 show_internal_volumes=0
    1009 terminal=x-terminal-emulator -e %s
    1010 archiver=file-roller
    1011 thumbnail_local=1
    1012 thumbnail_max=2048
    1013 
    1014 [ui]
    1015 big_icon_size=48
    1016 small_icon_size=24
    1017 pane_icon_size=24
    1018 thumbnail_size=128
    1019 show_thumbnail=1
    1020 ' | sudo -u $USERNAME tee .config/libfm/libfm.conf
    1021 }
    1022 
    1023 
    1024 
    1025 create_gui_autostarts() {
    1026 echo "
    1027 ######################################################
    1028 # create_gui_autostarts
    1029 ######################################################
    1030 "
    1031 
    1032 # ~/.config/autostart is a freedesktop.org standard and should work cross desktop.
    1033 
    1034 # Discussion (can be deleted):
    1035 # - determine clean/standard autostart method for gui applications
    1036 #    tw is graphical so .xinit should do it, for headless: torbox welcome script should prompt the user to run it. We shouldn't run the script each time a user logs in on a tty console.
    1037 #      (proper) .xinitrc does not work cross desktop environment. Should we not use upstart scripts for any autostarts anyway?
    1038 #         xinitrc is DE agnostic (it actually is the place to start DEs...) Upstart may or may not work but it's most certainly not correct place to autostart GUI applications.
    1039 #           KDE does not listen to it: http://www.jon.demon.co.uk/kde_xinitrc/ Not sure about others...
    1040 #           Created: http://askubuntu.com/questions/155448/how-to-autostart-gui-application-cross-desktop
    1041 #           Lets wait for the outcome. If there is no other outcome, live with the glitch and inform about it.
    1042 #      (proper) .config/autostart looks like a great solution.
    1043 
    1044 # Create ~/.config/autostart if it does not exist.
    1045 sudo -u $USERNAME mkdir -p /home/$USERNAME/.config/autostart
    1046 
    1047 # Create torcheck autostart.
    1048 
    1049 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.config/autostart/torcheck.desktop
    1050 echo '
    1051 [Desktop Entry]
    1052 Type=Application
    1053 Exec=torcheck
    1054 ' | sudo -u $USERNAME tee /home/$USERNAME/.config/autostart/torcheck.desktop
    1055 }
    1056 
    1057 
    1058 
    1059 create_tb_user_js() {
    1060 echo "
    1061 ######################################################
    1062 # create_tb_user_js
    1063 ######################################################
    1064 "
    1065 
    1066 # Editing /home/$USERNAME/tor-browser_en-US/Data/profile/users.js
    1067 # http://kb.mozillazine.org/User.js_file
    1068 # Configuring Torbutton to use SOCKSPort 9100 on 192.168.0.1 (TorBOX-Gateway);
    1069 # expanding extensions.torbutton.banned_ports with TorBOX specific ports;
    1070 # and set homepage to TorBOX/Readme.
    1071 # http://kb.mozillazine.org/User.js_file
    1072 
    1073 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/tor-browser_en-US/Data/profile/user.js
    1074 
    1075 echo '
    1076 # Begin of User.js.
    1077 # If you edit this file while Firefox is running, your changes will be
    1078 # overwritten, when you close Firefox.
    1079 
    1080 # How to create the User.js network settings:
    1081 # 1. Make a backup of prefs.js.
    1082 # 1. Start Tor Browser with the patched start script.
    1083 # 2. Apply TorBOX proxy settings with the Tor Button settings dialog..
    1084 # 3. Make a diff from the old and the new pref.js.
    1085 # 4. Copy the relevant changes to User.js.
    1086 
    1087 # network settings
    1088 user_pref("network.proxy.socks", "192.168.0.1");
    1089 user_pref("network.proxy.socks_port", 9100);
    1090 user_pref("extensions.torbutton.use_privoxy", false);
    1091 user_pref("extensions.torbutton.settings_method", "custom");
    1092 user_pref("extensions.torbutton.socks_host", "192.168.0.1");
    1093 user_pref("extensions.torbutton.socks_port", 9100);
    1094 user_pref("extensions.torbutton.custom.socks_host", "192.168.0.1");
    1095 user_pref("extensions.torbutton.custom.socks_port", 9100);
    1096 
    1097 # misc settings
    1098 user_pref("extensions.torbutton.prompt_torbrowser", false);
    1099 user_pref("general.autoScroll", true);
    1100 
    1101 # homepage
    1102 user_pref("browser.startup.homepage", "https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Readme");
    1103 
    1104 # banned ports
    1105 # https://www.torproject.org/torbutton/en/design/ and search for extensions.torbutton.banned_ports
    1106 # http://idnxcnkne4qt76tg.onion/torbutton/en/design/
    1107 user_pref("extensions.torbutton.banned_ports", "8118,8123,9050,9051,9100,9101,9102,9103,9104,9105,9106,9107,9108,9109,9110,9111,9112,9113");
    1108 
    1109 # End of User.js.
    1110 ' | sudo -u $USERNAME tee ./tor-browser_en-US/Data/profile/user.js
    1111 }
    1112 
    1113 
    1114 
    1115 # Please keep in mind, we allow -update-torbrowser to run without root. If you ever make some changes,
    1116 # to config_torbrowser(), which require root, please disallow running the script without root.
    1117 # SPLITOFF the whole torbrowser functions can be moved into their own files.
    1118 #          /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/torbrowser-update
    1119 config_torbrowser() {
    1120 echo "
    1121 ######################################################
    1122 # TORBROWSER
    1123 ######################################################
    1124 "
    1125 
    1126 # Install TBB and patch it. This part may break when the file name or RecommendedTBBVersions format changes!
    1127 
    1128 # Get into correct directory is required for relative paths.
    1129 cd /home/$USERNAME
    1130 
    1131 # Delete old tbbdownload folder.
    1132 rm -r tbbdownload/
    1133 
    1134 # Create new tbbdownload folder.
    1135 sudo -u $USERNAME mkdir tbbdownload
    1136 
    1137 # Get into the tbbdownload folder.
    1138 cd tbbdownload
    1139 
    1140 # Importing GPG keys...
    1141 echo "INFO: Importing GPG keys to the temporary directory gpgtmpdir..."
    1142 echo "INFO: The GPG keys will not be permanently added to your keyring."
    1143 sudo -u $USERNAME mkdir gpgtmpdir
    1144 chmod 700 gpgtmpdir/
    1145 
    1146 echo "INFO: Getting the GPG keys... Verify the fingerprints. Do not trust the wiki..."
    1147 
    1148 # !!!VERIFY!!!
    1149 #
    1150 # https://www.torproject.org/docs/signing-keys.html.en
    1151 # http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en
    1152 
    1153 # !!!VERIFY!!!
    1154 echo "INFO: Getting Erinn Clarks GPG key..."
    1155 sudo -u $USERNAME gpg --homedir gpgtmpdir --keyserver keys.gnupg.net --recv 8738A680B84B3031A630F2DB416F061063FEE659
    1156 
    1157 # !!!VERIFY!!!
    1158 echo "INFO: Getting Sebastian Hahns GPG key..."
    1159 sudo -u $USERNAME gpg --homedir gpgtmpdir --keyserver keys.gnupg.net --recv 261C5FBE77285F88FB0C343266C8C2D7C5AA446D
    1160 
    1161 # !!!VERIFY!!!
    1162 echo "INFO: Verifying Erinn Clarks GPG key..."
    1163 sudo -u $USERNAME gpg --homedir gpgtmpdir --fingerprint 8738A680B84B3031A630F2DB416F061063FEE659
    1164 
    1165 if [ $? == 0 ];
    1166 then
    1167         echo "INFO: Successfully verified Erinn Clarks GPG key."
    1168         # FYI: Script will continue outside the if.
    1169 else
    1170         echo "ERROR: Could not verify Erinn Clarks GPG key."
    1171         echo "INFO: Tor Browser Download failed. Try again later using:"
    1172         echo "     TorBOX-Workstation -update-torbrowser"
    1173         # Exit this function.
    1174         return
    1175 fi
    1176 
    1177 # !!!VERIFY!!!
    1178 echo "INFO: Verifying Sebastian Hahns GPG key..."
    1179 sudo -u $USERNAME gpg --homedir gpgtmpdir --fingerprint 261C5FBE77285F88FB0C343266C8C2D7C5AA446D
    1180 
    1181 if [ $? == 0 ];
    1182 then
    1183         echo "INFO: Successfully verified Sebastian Hahns GPG key."
    1184         # FYI: Script will continue outside the if.
    1185 else
    1186         echo "ERROR: Could not verify Sebastian Hahns GPG key."
    1187         echo "INFO: Tor Browser Download failed. Try again later using:"
    1188         echo "     TorBOX-Workstation -update-torbrowser"
    1189         # Exit this function.
    1190         return
    1191 fi
    1192 
    1193 # Find out latest version.
    1194 sudo -u $USERNAME wget --output-document RecommendedTBBVersions https://check.torproject.org/RecommendedTBBVersions
    1195 
    1196 # Phrasing the last version information.
    1197 TBBVERSION=`grep Linux-i686 RecommendedTBBVersions |egrep -v 'alpha|x86_64'|awk '{sub(/^"/,"")}1'|awk '{sub(/-Linux-i686",/,"")}1'|tail -1`
    1198 
    1199 # Download the latest Tor Browser Bundle and its gpg signature.
    1200 # sudo -u $USERNAME wget http://idnxcnkne4qt76tg.onion/dist/torbrowser/linux/tor-browser-gnu-linux-i686-$TBBVERSION-dev-en-US.tar.gz{,.asc}
    1201 sudo -u $USERNAME wget https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-$TBBVERSION-dev-en-US.tar.gz{,.asc}
    1202 
    1203 # Verify GPG signature.
    1204 # Not using the users GPG keyring also ensures, that the key can be only
    1205 # singed by the GPG keys we added. Signatures from random people from the
    1206 # users keyring will be ignored.
    1207 sudo -u $USERNAME gpg --homedir gpgtmpdir --verify tor-browser*.asc
    1208 
    1209 # If the exit code ? of GPG return 0, GPG verification was successful.
    1210 if [ $? == 0 ];
    1211 then
    1212         echo "INFO: Signature valid."
    1213         # FYI: Script will continue outside the if.
    1214 else
    1215         echo "ERROR: Signature could NOT be verified. GPG exit code: $?"
    1216         echo "INFO: Deleting tor-browser-gnu-linux-*.tar.gz*..."
    1217         rm tor-browser-gnu-linux-*.tar.gz*
    1218 
    1219         echo "Regular file tor-browser-gnu-linux-*.tar.gz missing."
    1220         cd /home/$USERNAME
    1221         echo "Deleting tbbdownload..."
    1222         sudo -u $USERNAME rm -r tbbdownload
    1223         # Tell about failure.
    1224         touch TorBrowser_installation_FAILED
    1225         echo "Update Failed" >&2
    1226         # Exit this function.
    1227         echo "INFO: Tor Browser Download failed. Try again later using:"
    1228         echo "     TorBOX-Workstation -update-torbrowser"
    1229         return
    1230 fi
    1231 
    1232 if [ -f tor-browser-gnu-linux-*.tar.gz ];
    1233 then
    1234         echo "INFO: Regular file tor-browser-gnu-linux-*.tar.gz exists."
    1235         # Unpack.
    1236         sudo -u $USERNAME tar -xzvf tor-browser-gnu-linux-*.tar.gz
    1237 else
    1238         echo "FATAL ERROR: Regular file tor-browser-gnu-linux-*.tar.gz exists. Please report this bug!"
    1239 fi
    1240 
    1241 # Fix the start script.
    1242 sudo -u $USERNAME ed -s tor-browser_en-US/start-tor-browser <<< $',s/.\/App\/vidalia --datadir Data\/Vidalia\//.\/App\/Firefox\/firefox --profile Data\/profile/g\nw'
    1243 
    1244 # Remove stuff we do do need.
    1245 sudo -u $USERNAME rm ./tor-browser_en-US/App/{tor,vidalia}
    1246 sudo -u $USERNAME rm -r ./tor-browser_en-US/Data/{Tor,Vidalia}
    1247 sudo -u $USERNAME rm -r ./tor-browser_en-US/Docs/{Tor,Vidalia,Qt,README-TorBrowserBundle}
    1248 sudo -u $USERNAME rm -r ./tor-browser_en-US/Lib/*
    1249 
    1250 # Call the function create_tb_user_js().
    1251 create_tb_user_js
    1252 
    1253 echo "INFO: cd /home/$USERNAME..."
    1254 cd /home/$USERNAME
    1255 echo "INFO: Moving old folder tor-browser_en-US..."
    1256 sudo -u $USERNAME mv tor-browser_en-US tor-browser_en-US.old."`date '+%F-%H:%M:%S'`"
    1257 echo "INFO: Moving temporary folder tbbdownload/tor-browser_en-US to /home/$USERNAME/tor-browser_en-US"
    1258 mv tbbdownload/tor-browser_en-US tor-browser_en-US
    1259 echo "INFO: Deleting temporary folder tbbdownload..."
    1260 sudo -u $USERNAME rm -r tbbdownload
    1261 echo "INFO: Finished installing TBB. Can be found in /home/$USERNAME/tor-browser_en-US."
    1262 }
    1263 
    1264 
    1265 
    1266 # Since we can start the script with -xchat, it might be a desirable goal to support,
    1267 # running config_xchat() without root. That may not be possible, since we disable
    1268 # most XChat plugins.
    1269 config_xchat() {
    1270 echo "
    1271 ######################################################
    1272 # XCHAT
    1273 ######################################################
    1274 "
    1275 
    1276 # Does not have a trap function yet.
    1277 # -xchat should not revert uninstall whole TorBOX-Workstation.
    1278 
    1279 # XChat settings from https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat with the exception,
    1280 # of the SOCKS settings. XChat gets its own SocksPort on TorBOX-Gateway, to prevent Identity correlation through
    1281 # circuit sharing.
    1282 
    1283 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.xchat2/xchat.conf
    1284 # xchat.conf
    1285 sudo -u $USERNAME mkdir .xchat2
    1286 
    1287 echo "
    1288 # By default, XChat based IRC software, when started-up, or run for first time,
    1289 # it starts to use local network, to connect to the internet. To prevent that,
    1290 # and to force it, to use Tor proxy (a Socks5 server):
    1291 #
    1292 # /set net_proxy_host 192.168.0.1
    1293 # /set net_proxy_port 9101
    1294 # /set net_proxy_type 3
    1295 # /set net_proxy_use 0
    1296 net_proxy_host = 192.168.0.1
    1297 net_proxy_port = 9101
    1298 # Technical note: 3 = socks5
    1299 net_proxy_type = 3
    1300 # Technical note: Do not worry. 0 is not equal to "off". 0 stands for "All".
    1301 #                 Check yourself https://toxin.jottit.com/xchat_set_variables
    1302 net_proxy_use = 0
    1303 
    1304 # XChat should not use the same circuit/exit server as other Tor applications.
    1305 # Otherwise activity in different applications could be correlated to the same
    1306 # pseudonym. There is a way to prevent that.
    1307 # It is called stream isolation. We use IsolateSOCKSAuth,
    1308 # see https://www.torproject.org/docs/tor-manual-dev.html.en
    1309 # The password is actually not required, but it does not hurt either.
    1310 # Will probable not hurt on Tor 0.2.2 and below.
    1311 # Works with Tor 0.2.3 and above.
    1312 #
    1313 # /set net_proxy_auth 1
    1314 # /set net_proxy_pass = XChat
    1315 # /set net_proxy_user = XChat
    1316 #
    1317 net_proxy_auth = 1
    1318 net_proxy_pass = XChat
    1319 net_proxy_user = XChat
    1320 
    1321 # Get rid of protocol leaks:
    1322 # a DCC session can reveal IP address, etc. identd flag can reveal your
    1323 # username which you use to login in your OS(Windows/Linux/Unix/MacOS) profile.
    1324 # To prevent those:
    1325 #
    1326 # /set dcc_auto_chat 0
    1327 # /set dcc_auto_resume OFF
    1328 # /set dcc_auto_send 0
    1329 # /set irc_hide_version ON
    1330 # /set identd OFF <-- NOT working on all XChat-based IRC software.
    1331 # But still highly suggested to include & use it.
    1332 # Probable not needed on UNIX, source: http://xchat.org/faq/#q21
    1333 dcc_auto_chat = 0
    1334 dcc_auto_resume = 0
    1335 dcc_auto_send = 0
    1336 irc_hide_version = 1
    1337 identd = 0
    1338 
    1339 # If you use your own comment instead of default values, then these data are
    1340 # posted on each channel when you do these events: JOIN, PART, QUIT, AWAY.
    1341 # So they can reveal who you actually are, when you are using same XChat
    1342 # software for multiple different nicknames.
    1343 #
    1344 # Delete everything under Settings -> Preferences -> Default Messages:
    1345 # -> Quit: <Deleted everything!>
    1346 # -> Leave channel: <Deleted everything!>
    1347 # -> Away: <Deleted everything!>
    1348 away_reason =
    1349 irc_part_reason =
    1350 irc_quit_reason =
    1351 
    1352 # By default, XChat based IRC software uses your platform OS(Operating System)s
    1353 # login user name as your nickname, user name, real name.  To prevent leaking
    1354 # that, and, to use your own choice of nickname, realname, username:
    1355 #
    1356 # ***Pseudonymous vs. anonymous IRC use.***
    1357 # Actually IRC is pseudonymous. Your nickname might also reveal something about
    1358 # your origin, interests, etc. You can make IRC more anonymous by choosing a more
    1359 # meaningless nickname. Use the following defaults if you want to be more anonymous.
    1360 # If user, user_ and user___ are already taken, add more _ or start using user1,
    1361 # user2, user3, etc. Or if the irc network auto assigns your a nickname, i.e.
    1362 # guest532, stick with that nickname.
    1363 #
    1364 # Of course, you are free to continue using IRC in a pseudonymous manner.
    1365 # In that case, instant of user, choose your nickname.
    1366 #
    1367 # /set irc_real_name user
    1368 # /set irc_user_name user
    1369 # /set irc_nick1 user
    1370 # /set irc_nick2 user_
    1371 # /set irc_nick3 user__
    1372 irc_real_name = user
    1373 irc_user_name = user
    1374 irc_nick1 = user
    1375 irc_nick2 = user_
    1376 irc_nick3 = user__
    1377 
    1378 # Use a more common nick completion suffix:
    1379 # When you write the first few characters of a nickname followed by tab,
    1380 # it will, by XChat default, complete the nickname and ", " behind the
    1381 # nickname. The behavior is XChat specific. The " :" is more more common
    1382 # for more common clients such as mIRC.
    1383 #
    1384 # XChat -> Settings -> Preferences -> input box -> completion_suffix set to :
    1385 #
    1386 completion_suffix = :
    1387 
    1388 # Not starting the server windows at the beginning so you can check and set
    1389 # settings before connecting to any IRC networks.
    1390 gui_slist_skip = 1
    1391 " | sudo -u $USERNAME tee .xchat2/xchat.conf
    1392 
    1393 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.xchat2/ignore.conf
    1394 # Disable DCC and CTCP replies.
    1395 echo '
    1396 # Issue/Use do this, to block the CTCP, DCC commands and
    1397 # inquiries sent toward your IRC client software:
    1398 #
    1399 # /ignore *!*@* CTCP DCC
    1400 # /ignore * CTCP DCC
    1401 mask = *
    1402 type = 136
    1403 mask = *!*@*
    1404 type = 136
    1405 ' | sudo -u $USERNAME tee .xchat2/ignore.conf
    1406 
    1407 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.xchat2/ctcpreply.conf
    1408 # Remove all ctcpreplies.
    1409 echo "
    1410 # new and empty
    1411 # no CTCP replies
    1412 #
    1413 # Same as:
    1414 # Go to Settings -> Advanced -> CTCP Replies, delete everything and safe. Check again if everything is empty.
    1415 " | sudo -u $USERNAME tee .xchat2/ctcpreply.conf
    1416 
    1417 # Remove all IRC servers but the TLS version of Tors official #Tor on OFTC.
    1418 # On port 9999, since that is not banned by so many Tor exit nodes.
    1419 # http://www.oftc.net/oftc/
    1420 # The OFTC TLS certificate is included in the package ca-certificates.
    1421 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/home/user/.xchat2/servlist_.conf
    1422 echo '
    1423 N=OFTC
    1424 E=IRC (Latin/Unicode Hybrid)
    1425 F=23
    1426 D=0
    1427 S=irc.oftc.net/9999
    1428 ' | sudo -u $USERNAME tee .xchat2/servlist_.conf
    1429 
    1430 # The following two commands require root.
    1431 
    1432 # 1) Prepare directory for the disabled plugins.
    1433 mkdir -p /usr/lib/xchat/plugins.disabled/
    1434 
    1435 # Disable unnecessary plugins (keep perl for sasl).
    1436 #   mv /usr/lib/xchat/plugins/{python.*,tcl.*} /usr/lib/xchat/plugins.disabled/
    1437 
    1438 # 2) Move all plugins to plugins.disabled.
    1439 mv /usr/lib/xchat/plugins/* /usr/lib/xchat/plugins.disabled/ || true
    1440 }
    1441 
    1442 
    1443 
    1444 optional_hiddenserver() {
    1445 echo "
    1446 ######################################################
    1447 # Optional hidden webserver, using lighttpd as an example
    1448 ######################################################
    1449 "
    1450 
    1451 echo "INFO: Installing lighttpd..."
    1452 sudo apt-get install lighttpd
    1453 
    1454 echo "INFO: Backing up web server configuration files..."
    1455 cp -nr /etc/lighttpd/ /etc/lighttpd.backup/
    1456 
    1457 echo "INFO: Configuring web server..."
    1458 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/etc/lighttpd/lighttpd.conf
    1459 echo "\
    1460 server.port                = 12345
    1461 " >> /etc/lighttpd/lighttpd.conf
    1462 
    1463 echo "INFO: Restarting web server..."
    1464 service lighttpd restart
    1465 }
    1466 
    1467 
    1468 
    1469 set_sysctl() {
    1470 echo "
    1471 ######################################################
    1472 # set_sysctl
    1473 ######################################################
    1474 "
    1475 
    1476 # no trap function yet
    1477 
    1478 # Let the kernel only swap if it is absolutely necessary.
    1479 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/etc/sysctl.conf
    1480 echo "
    1481 # Appended by TorBOX to /etc/sysctcl.conf
    1482 vm.swappiness=0
    1483 # End of TorBOX appends to /etc/systcl.conf
    1484 " >> /etc/sysctl.conf
    1485 
    1486 sysctl -p
    1487 }
    1488 
    1489 
    1490 
    1491 create_swap_file() {
    1492 echo "
    1493 ######################################################
    1494 # create_swap_file
    1495 ######################################################
    1496 "
    1497 # Source: http://www.cyberciti.biz/faq/linux-add-a-swap-file-howto/
    1498 
    1499 # Creating 512 MB swap file.
    1500 echo "INFO: Creating /swapfile1... This may take a while..."
    1501 dd if=/dev/zero of=/swapfile1 bs=1024 count=524288
    1502 echo "INFO: Created /swapfile1."
    1503 
    1504 # Format swapfile.
    1505 mkswap /swapfile1 --uuid 0615ba72-85b0-4183-8d54-300bb0d2e491
    1506 
    1507 # Set permissions.
    1508 chown root:root /swapfile1
    1509 
    1510 # Set permissions.
    1511 chmod 0600 /swapfile1
    1512 
    1513 # Should be probable omitted. No need. Will be restarted so or so.
    1514 # swapon /swapfile1
    1515 }
    1516 
    1517 
    1518 
    1519 config_uuids_fstab() {
    1520 # code shared between TorBOX_Workstation and TorBOX_Gateway script.
    1521 
    1522 echo "
    1523 ######################################################
    1524 # Configuring disk uuids and /etc/fstab
    1525 ######################################################
    1526 "
    1527 # Change uuid of hdd created by operating system installer.
    1528 # WARNING: This assumes you used "Guided - use entire disk" partitioning (NOT LVM!)
    1529 tune2fs /dev/sda1 -U 26ada0c0-1165-4098-884d-aafd2220c2c6
    1530 
    1531 # Deactivate swap partition. Will not be created when using preseed.
    1532 # Deactivating anyway just in case anyone manually installs the operating system.
    1533 swapoff /dev/sda5 || true
    1534 
    1535 # Share the same uuid among all TorBOX users.
    1536 # Setting anyway just in case anyone manually installs the operating system
    1537 # and then applies the script.
    1538 mkswap /dev/sda5 -U 9159bf6e-e242-4510-b4c1-348db252feff || true
    1539 
    1540 echo "
    1541 # /etc/fstab: static file system information.
    1542 #
    1543 # Use blkid to print the universally unique identifier for a
    1544 # device; this may be used with UUID= as a more robust way to name devices
    1545 # that works even if disks are added and removed. See fstab(5).
    1546 
    1547 # <file system> <mount point>   <type>  <options>       <dump>  <pass>
    1548 proc            /proc           proc    nodev,noexec,nosuid 0       0
    1549 
    1550 # TorBOX /etc/fstab changes.
    1551 
    1552 # HDD created by operating system installer.
    1553 # Disk UUID changed by TorBOX.
    1554 UUID=26ada0c0-1165-4098-884d-aafd2220c2c6 /               ext4    noatime,errors=remount-ro 0       1
    1555 
    1556 # Swap partition NOT created by TorBOX preseed installation method.
    1557 # Disk UUID changed by TorBOX.
    1558 # The swap partition has been removed in favor of a swap file.
    1559 # Advantage: with a swap file its easier to grow the virtual hdd
    1560 # and to add the new space to the filesystem.
    1561 # UUID=9159bf6e-e242-4510-b4c1-348db252feff none            swap    sw              0       0
    1562 
    1563 # Swap file created by TorBOX.
    1564 # Disk UUID changed by TorBOX.
    1565 # UUID=0615ba72-85b0-4183-8d54-300bb0d2e491
    1566 /swapfile1 swap swap defaults 0 0
    1567 
    1568 # End of TorBOX /etc/fstab changes.
    1569 " > /etc/fstab
    1570 
    1571 update-grub2
    1572 grub-install /dev/sda
    1573 }
    1574 
    1575 
    1576 
    1577 config_network() {
    1578 echo "
    1579 ######################################################
    1580 # Configuring eth0 which is going to be attached to TorBOX-Gateway
    1581 ######################################################
    1582 "
    1583 
    1584 #ifdown -a
    1585 
    1586 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/etc/resolv.conf
    1587 echo "nameserver 192.168.0.1" > /etc/resolv.conf
    1588 
    1589 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/etc/network/interfaces
    1590 echo '
    1591 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1592 
    1593 # for more information, see interfaces(5)
    1594 auto lo
    1595 iface lo inet loopback
    1596 
    1597 auto eth0
    1598 iface eth0 inet static
    1599 # increment last octet on additional workstations
    1600 address 192.168.0.2
    1601        netmask 255.255.255.0
    1602        network 192.168.0.0
    1603        broadcast 192.168.0.255
    1604        gateway 192.168.0.1
    1605        # SPLITOFF torboxfirewall.sh to /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/twfirewall
    1606        pre-up /etc/torboxfirewall.sh
    1607 ' > /etc/network/interfaces
    1608 
    1609 #ifup -a
    1610 }
    1611 
    1612 
    1613 
    1614 firewall_setup() {
    1615 # TorBOX-Workstation script does not have a trap function yet.
    1616 # trap "roll_back" ERR INT TERM
    1617 echo "
    1618 ######################################################
    1619 Set up Firewall.
    1620 ######################################################
    1621 "
    1622 
    1623 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/twfirewall
    1624 echo \
    1625 '#!/bin/sh
    1626 
    1627 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1628 
    1629 # This firewall is disabled by default.
    1630 # Comment out the following exit 0 to enable it.
    1631 exit 0
    1632 
    1633 # WARNING! Do not use single quotes/apostrophes in the firwall comments!!!
    1634 
    1635 # NOTE: If you make changes to this firewall, think about, if it would
    1636 #       make sense, to add the changes to TorBOX-Gateway script as well.
    1637 #       Some things, like drop invalid packages, should be shared.
    1638 
    1639 # DESIGN NOTES:
    1640 # - This firewall script provides only damage limitation.
    1641 #   - Some additional security.
    1642 #   - For example, if Tor on TorBOX-Gateway were compromised through a
    1643 #     zero day exploit, it were harder to attack TorBOX-Workstation, which might
    1644 #     contain confidential data.
    1645 #   - In future, there will be an optional feature, to chain more than one
    1646 #     Gateway, you can have a separate Gateway for SSH, proxy or VPN which all
    1647 #     will be independent from each other.
    1648 #   - When using multiple TorBOX-Workstations, this offers some protection from
    1649 #     attacks from compromised TorBOX-Workstations, see
    1650 #     TorBOX / Security and Hardening for details.
    1651 # - This firewall script might also enhance the connectivity of certain
    1652 #   custom installed applications, because it rejects traffic, which is
    1653 #   not supported by Tor so or so, such as UDP and ICMP. For example, ping
    1654 #   will fail instantly (reject), instant of waiting for a timeout (drop).
    1655 # - This firewall is less important than the TorBOX-Gateway firewall.
    1656 # - Staying anonymous, is by TorBOX design, not dependent on TorBOX-Workstations
    1657 #   firewall. You could drop this firewall at all and were still anonymous.
    1658 #   This was always and will always be that way for all TorBOX versions.
    1659 # - TorBOX-Gateways firewall is responsible for routing all traffic over Tor.
    1660 
    1661 # - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).
    1662 
    1663 # source for some rules:
    1664 # http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
    1665 
    1666 ###########################
    1667 # /etc/torboxfirewall.sh
    1668 ###########################
    1669 
    1670 echo "OK: Latest firewall updates can always be found here:"
    1671 echo "OK: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX"
    1672 echo "OK: Loading TorBOX firewall..."
    1673 
    1674 ###########################
    1675 # VARIABELS
    1676 ###########################
    1677 
    1678 # Not in use/defined yet.
    1679 # INT_IF could be the internal network.
    1680 # EXT_IF could be an additional virtual network adapter,
    1681 #        such as OnionCat or OpenVPN.
    1682 
    1683 # External interface
    1684 EXT_IF='$EXT_IF'
    1685 # Internal interface
    1686 INT_IF='$INT_IF'
    1687 
    1688 ###########################
    1689 # IPv4 DEFAULTS
    1690 ###########################
    1691 
    1692 # Set secure defaults.
    1693 iptables -P INPUT DROP
    1694 
    1695 # FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
    1696 iptables -P FORWARD DROP
    1697 
    1698 # Will be lifted below.
    1699 iptables -P OUTPUT DROP
    1700 
    1701 ###########################
    1702 # IPv4 PREPARATIONS
    1703 ###########################
    1704 
    1705 # Flush old rules.
    1706 iptables -F
    1707 iptables -X
    1708 iptables -t nat -F
    1709 iptables -t nat -X
    1710 iptables -t mangle -F
    1711 iptables -t mangle -X
    1712 
    1713 ############################
    1714 # IPv4 DROP INVALID PACKAGES
    1715 ############################
    1716 
    1717 # DROP INVALID
    1718 iptables -A INPUT -m state --state INVALID -j DROP
    1719 
    1720 # DROP INVALID SYN PACKETS
    1721 iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
    1722 iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    1723 iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    1724 
    1725 # DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
    1726 iptables -A INPUT -f -j DROP
    1727 
    1728 # DROP INCOMING MALFORMED XMAS PACKETS
    1729 iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    1730 
    1731 # DROP INCOMING MALFORMED NULL PACKETS
    1732 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    1733 
    1734 ###########################
    1735 # IPv4 INPUT
    1736 ###########################
    1737 
    1738 # Traffic on the loopback interface is accepted.
    1739 iptables -A INPUT -i lo -j ACCEPT
    1740 
    1741 # Established incoming connections are accepted.
    1742 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    1743 
    1744 #+# OptionalFeatureNr.2#
    1745 #+# Uncomment the following line, if you want to use a Hidden Service
    1746 #+# on port 12345.
    1747 #iptables -A INPUT -p tcp --dport 12345 -j ACCEPT
    1748 
    1749 # Reject anything not explicitly allowed above.
    1750 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
    1751 
    1752 ###########################
    1753 # IPv4 FORWARD
    1754 ###########################
    1755 
    1756 iptables -A FORWARD -j DROP
    1757 
    1758 ###########################
    1759 # IPv4 OUTPUT
    1760 ###########################
    1761 
    1762 # Allow unlimited traffic on localhost.
    1763 iptables -A OUTPUT -o lo -j ACCEPT
    1764 
    1765 # Allow TorBOX-Workstation to query TorBOX-Gateway for DNS.
    1766 iptables -A OUTPUT -p udp --dport 53 --dst 192.168.0.1 -j ACCEPT
    1767 
    1768 # Not sure about the next one. UDP is not supported by Tor, why not
    1769 # block any outgoing UDP. Might have unwanted side effects when tunneling
    1770 # UDP over Tor.
    1771 # https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations/TunnelingUDPoverTor
    1772 #
    1773 # All other non-TCP protocol traffic gets rejected.
    1774 # iptables knows 7 different protocols and all.
    1775 # (tcp, udp, udplite, icmp, esp, ah, sctp or all)
    1776 #
    1777 # The following rule (1) does for some unknown reason, not make rule (2) redundant.
    1778 # (1) iptables -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable -> (3)
    1779 # (2) iptables -A OUTPUT -p icmp -j REJECT --reject-with icmp-port-unreachable -> (4)
    1780 #
    1781 # (3) ping torproject.org
    1782 #     4 packets transmitted, 0 received, 100% packet loss, time 3000ms
    1783 #
    1784 # (4) ping torproject.org
    1785 #     From 192.168.0.2 icmp_seq=1 Destination Port Unreachable
    1786 #     0 packets transmitted, 0 received, +100 errors
    1787 #
    1788 # The next rule ensures, that only tcp can leave and archives the desired result from (4).
    1789 iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
    1790 
    1791 # Allow full outgoing connection but no incoming stuff.
    1792 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    1793 
    1794 # Logging in case, needed for debugging.
    1795 #iptables -A OUTPUT -j LOG
    1796 
    1797 # Reject all other outgoing traffic.
    1798 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
    1799 
    1800 ###########################
    1801 # IPv6
    1802 ###########################
    1803 
    1804 # Policy DROP for all traffic as fallback.
    1805 ip6tables -P INPUT DROP
    1806 ip6tables -P OUTPUT DROP
    1807 ip6tables -P FORWARD DROP
    1808 
    1809 # Flush old rules.
    1810 ip6tables -F
    1811 ip6tables -X
    1812 ip6tables -t mangle -F
    1813 ip6tables -t mangle -X
    1814  
    1815 # Allow unlimited access on loopback.
    1816 ip6tables -A INPUT -i lo -j ACCEPT
    1817 ip6tables -A OUTPUT -o lo -j ACCEPT
    1818 
    1819 # Logging in case, needed for debugging.
    1820 #ip6tables -A INPUT -j LOG
    1821 
    1822 # Drop/reject all other traffic.
    1823 ip6tables -A INPUT -j DROP
    1824 ip6tables -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
    1825 ip6tables -A FORWARD -j DROP
    1826 
    1827 ###########################
    1828 # End
    1829 ###########################
    1830 
    1831 echo "OK: The firewall should show any messages besides output beginning with prefix OK:..."
    1832 echo "OK: TorBOX firewall loaded."
    1833 ' > /etc/torboxfirewall.sh
    1834 
    1835 chmod +x /etc/torboxfirewall.sh
    1836 }
    1837 
    1838 
    1839 # SPLITOFF all the files must go into their own files.
    1840 # /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/leaktest
    1841 # /home/user/TorBOX_source/TorBOX_Workstation/usr/share/leaktest/simple_ping.py
    1842 # etc.
    1843 leaktest_tw() {
    1844 #trap "roll_back" ERR INT TERM
    1845 
    1846 # leaktest_tg() does nothing dangerous.
    1847 # It creates only /usr/share/leaktest/ and /usr/local/bin/leaktest
    1848 # The neccessary software for leak testing will be only installed,
    1849 # if you run /usr/local/bin/leaktest.
    1850 
    1851 echo "
    1852 ######################################################
    1853 # Creating leaktests
    1854 ######################################################
    1855 "
    1856 
    1857 # Create the leaktest folder.
    1858 mkdir -p /usr/share/leaktest/
    1859 
    1860 echo "
    1861 ########################
    1862 #Creating simple_ping.py
    1863 ########################
    1864 "
    1865 
    1866 echo '
    1867 #! /usr/bin/env python
    1868 
    1869 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1870 
    1871 # Since it will be useful to know something about the script,
    1872 # for the later tests, the terms are defined here:
    1873 # (A discussion of Python language structure is beyond
    1874 # the scope of this document)
    1875 
    1876 # [1] http://en.wikipedia.org/wiki/Ipv4
    1877 # [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
    1878 # [3] http://en.wikipedia.org/wiki/IP_routing
    1879 # [4] http://en.wikipedia.org/wiki/Ping
    1880 # [5] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#List_of_permitted_control_messages_.28incomplete_list.29
    1881 # [6] http://www.secdev.org/projects/scapy/doc/usage.html#send-and-receive-packets-sr
    1882 # [7] http://www.secdev.org/projects/scapy/doc/usage.html#stacking-layers
    1883 
    1884 import sys
    1885 from scapy.all import *
    1886 
    1887 # define the target gateway & data payload
    1888 target = "192.168.0.1"
    1889 data = "testing"
    1890 
    1891 # define packets
    1892 # These define two variables, that are set to the object types IP
    1893 # and ICMP respectively. These objects in Scapy define the protocol
    1894 # type for IP (default IPv4) [1] and ICMP [2] respectively.
    1895 # And will send packets on the wire of these types when used.
    1896 ip = IP()
    1897 icmp = ICMP()
    1898 
    1899 # define packet parameters
    1900 ip.dst = target
    1901 
    1902 # IP packets are used for routing [3] between networks on the Internet.
    1903 # So, we assign the destination (dst) in the IP portion of the
    1904 # packet we are going to assemble and send out.
    1905 icmp.type = 8
    1906 icmp.code = 0
    1907 
    1908 # Defines the type of ICMP message to send out. The ..8 type.. is
    1909 # a type defined as ..echo request.., e.g. a simple ping [4].
    1910 # See a list here of  various types of ICMP [5] messages here.
    1911 
    1912 # The sr1() [6] command will ..send and receive network traffic,
    1913 # returning the 1st packet received...
    1914 # The notation of ..ip/icmp/data.. is the notation for encapsulation
    1915 # of various instances of networking protocols [7].
    1916 # Read it right to left: ..data encapsulated inside an ICMP message
    1917 # and encapsulated inside an IP datagram...
    1918 test_ping = sr1(ip/icmp/data)
    1919 
    1920 if isinstance(test_ping, types.NoneType):
    1921         print "No response"
    1922 else:
    1923 # Prints a short report on the packet received (if any).
    1924         test_ping.summary()
    1925 ' > /usr/share/leaktest/simple_ping.py
    1926 
    1927 echo "
    1928 #################################
    1929 #Creating exhaustive_ip_send.py
    1930 #################################
    1931 "
    1932 
    1933 echo '
    1934 #! /usr/bin/env python
    1935 
    1936 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1937 
    1938 import sys
    1939 from scapy.all import *
    1940 
    1941 #define the target gateway & data payload
    1942 target = "google.com"
    1943 data = "testing"
    1944 
    1945 #define packet
    1946 ip = IP()
    1947 
    1948 #define packet parameters
    1949 ip.dst = target
    1950 
    1951 #loop through all IP packet types
    1952 for ip_type in range(0,255):
    1953         ip.proto = ip_type
    1954         send(ip/data)
    1955 ' > /usr/share/leaktest/exhaustive_ip_send.py
    1956 
    1957 echo "
    1958 #################################
    1959 #Creating tcp_test.py
    1960 #################################
    1961 "
    1962 
    1963 echo '
    1964 #! /usr/bin/env python
    1965 
    1966 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1967 
    1968 import sys
    1969 from scapy.all import *
    1970 
    1971 #define the target gateway & data payload
    1972 target = "google.com"
    1973 data = "testing"
    1974 
    1975 #define packets
    1976 ip = IP()
    1977 tcp = TCP()
    1978 
    1979 #define packet parameters
    1980 ip.dst = target
    1981 
    1982 #loop through all TCP ports
    1983 for tcp_port in range(0,65535):
    1984         tcp.dport = tcp_port
    1985         send(ip/tcp/data)
    1986 ' > /usr/share/leaktest/tcp_test.py
    1987 
    1988 echo "
    1989 #################################
    1990 #Creating udp_test.py
    1991 #################################
    1992 "
    1993 
    1994 echo '
    1995 #! /usr/bin/env python
    1996 
    1997 # This file gets overwritten when issuing TorBOX-Workstation -update.
    1998 
    1999 import sys
    2000 from scapy.all import *
    2001 
    2002 #define the target gateway & data payload
    2003 target = "google.com"
    2004 data = "testing"
    2005 
    2006 #define packets
    2007 ip = IP()
    2008 udp = UDP()
    2009 
    2010 #define packet parameters
    2011 ip.dst = target
    2012 
    2013 #loop through all TCP ports
    2014 for udp_port in range(0,65535):
    2015         udp.dport = udp_port
    2016         send(ip/udp/data)
    2017 ' > /usr/share/leaktest/udp_test.py
    2018 
    2019 echo "
    2020 #################################
    2021 # Creating leaktest script...
    2022 #################################
    2023 "
    2024 
    2025 echo '
    2026 #!/bin/bash
    2027 
    2028 # This file gets overwritten when issuing TorBOX-Workstation -update.
    2029 
    2030 # Exit if there is an error
    2031 set -e
    2032 
    2033 # Check if we are root
    2034   if [ "$(id -u)" != "0" ]; then
    2035      echo "leaktest: This script must be run as root (sudo)"
    2036      exit 1
    2037   fi
    2038 
    2039 echo "leaktest: Installing python-scapy, if it is not installed yet."
    2040 # Install scapy to the TorBOX-Workstation for Leak Testing.
    2041 apt-get --yes install python-scapy
    2042 
    2043 echo "leaktest: Starting leak test, hit ctrl+c to abort..."
    2044 echo "leaktest: Make sure leaktest is already running on TorBOX-Gateway."
    2045 
    2046 echo "leaktest: python /usr/share/leaktest/exhaustive_ip_send.py..."
    2047 python /usr/share/leaktest/exhaustive_ip_send.py
    2048 echo "leaktest: python /usr/share/leaktest/tcp_test.py..."
    2049 python /usr/share/leaktest/tcp_test.py
    2050 echo "leaktest: python /usr/share/leaktest/udp_test.py..."
    2051 python /usr/share/leaktest/udp_test.py
    2052 
    2053 echo "leaktest: You may uninstall python-scapy manually using:"
    2054 echo "          sudo apt-get remove python-scapy"
    2055 echo "leaktest: Leaktest finished."
    2056 echo "leaktest: See TorBOX/LeakTestsOld on instructions how to interpret the results."
    2057 ' > /usr/local/bin/leaktest
    2058 
    2059 chmod +x /usr/local/bin/leaktest
    2060 }
    2061 
    2062 
    2063 # SPLITOFF /home/user/TorBOX_source/TorBOX_Shared/usr/local/bin/torcheck
    2064 create_torcheck_script() {
    2065 echo "
    2066 ######################################################
    2067 Creating torcheck script.
    2068 ######################################################
    2069 "
    2070 
    2071 echo '
    2072 #!/bin/bash
    2073 
    2074 #echo "
    2075 # Temporarily moved to https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/torcheck
    2076 # You can get it form there.
    2077 #
    2078 # Until we figured out https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#torcheckscriptdiscussion
    2079 #"
    2080 #' > /usr/local/bin/torcheck
    2081 
    2082 chmod +x /usr/local/bin/torcheck
    2083 }
    2084 
    2085 
    2086 
    2087 modify_crontab() {
    2088 # TODO: Please review. If it is ok, delete this one.
    2089 
    2090 # Adds torcheck script. Also note the following link when
    2091 # you are about to add graphical applications to cron.
    2092 # http://promberger.info/linux/2009/01/02/running-x-apps-like-zenity-from-crontab-solving-cannot-open-display-problem/
    2093  
    2094 # Add crontab.
    2095 # cron.daily will run as root, but the script will be executed as user.
    2096 # Otherwise wget would run as root.
    2097 # SPLITOFF /home/user/TorBOX_source/TorBOX_Workstation/etc/cron.daily/torcheck
    2098 echo "
    2099 #!/bin/bash
    2100 # torcheck script by TorBOX
    2101 sudo -u $USERNAME /usr/local/bin/torcheck &
    2102 #end of crontab
    2103 " > /etc/cron.daily/torcheck
    2104 
    2105 # Make crontab script executable.
    2106 chmod +x /etc/cron.daily/torcheck
    2107 }
    2108 
    2109 
    2110 
    2111 create_rc_local() {
    2112 trap "roll_back" ERR INT TERM
    2113 echo "
    2114 ######################################################
    2115 Fixing, recreating /etc/rc.local
    2116 ######################################################
    2117 "
    2118 
    2119 # /etc/rc.local was (ab)used by TorBOX-Image -tX-copyinto
    2120 # to run TorBOX_$VM script once. That is because TorBOX_$VM
    2121 # scripts get executed inside the VM. We restore /etc/rc.local
    2122 # here. A new TorBOX-Image -tX-copyinto would overwrite it
    2123 # again.
    2124 
    2125 # Using "" because the $USERNAME should be converted to "user"
    2126 # by the TorBOX_Gateway script.
    2127 echo "#!/bin/sh -e
    2128 #
    2129 # rc.local
    2130 #
    2131 # This script is executed at the end of each multiuser runlevel.
    2132 # Make sure that the script will "exit 0" on success or any other
    2133 # value on error.
    2134 #
    2135 # In order to enable or disable this script just change the execution
    2136 # bits.
    2137 #
    2138 # By default this script does nothing.
    2139 
    2140 # TorBOX changes to /etc/rc.local.
    2141 
    2142 # TorBOX WARNING:
    2143 # Better make a backup of this script if you want to make changes.
    2144 
    2145 echo \"rc.local: Start...\"
    2146 set -x
    2147 setterm -blank 0 -powerdown 0
    2148 sudo -u $USERNAME setterm -blank 0 -powerdown 0
    2149 echo \"rc.local: End.\"
    2150 
    2151 # End of TorBOX changes to /etc/rc.local.
    2152 
    2153 exit 0
    2154 " > /etc/rc.local
    2155 }
    2156 
    2157 
    2158 
    2159 # SPLITOFF, perhaps to /home/user/TorBOX_source/TorBOX_Shared/slim_down
    2160 slim_down() {
    2161 echo "
    2162 ######################################################
    2163 Slim down the system.
    2164 ######################################################
    2165 "
    2166 # Remove unnecessary packages to slim down the system.
    2167 # This list contains only packages, which waste space and are not required.
    2168 # Unsafe or problematic packages are being removed with apt_get().
    2169 apt-get --yes remove --purge xserver-xorg-video-all xserver-xorg-video-ati xserver-xorg-video-fbdev \
    2170 xserver-xorg-video-geode xserver-xorg-video-intel xserver-xorg-video-mach64 xserver-xorg-video-mga \
    2171 xserver-xorg-video-neomagic xserver-xorg-video-nouveau xserver-xorg-video-openchrome \
    2172 xserver-xorg-video-qxl xserver-xorg-video-r128  xserver-xorg-video-radeon xserver-xorg-video-s3 \
    2173 xserver-xorg-video-savage xserver-xorg-video-siliconmotion xserver-xorg-video-sis xserver-xorg-video-sisusb \
    2174 xserver-xorg-video-tdfx xserver-xorg-video-trident xserver-xorg-video-vmware fuse command-not-found* \
    2175 geoip-database sound-theme-freedesktop fuse-utils aptitude pciutils hdparm lshw ftp parted telnet \
    2176 mlocate ufw ppp pppconfig pppoeconf bind9-host dosfstools strace mtr-tiny
    2177 
    2178 echo "Cleaning up..."
    2179 
    2180 # Not sure about those:
    2181 # apt-get --yes remove --purge manpages man-db perl bash-completion
    2182 
    2183 # Remove openssh-server.
    2184 apt-get --yes remove --purge openssh-server || true
    2185 
    2186 # Kill dhclient3 to prevent rewrite of /var/lib/dhcp/*.
    2187 killall dhclient3 || true
    2188 # There are .leases.
    2189 rm /var/lib/dhcp/*.leases || true
    2190 # And there are .lease.
    2191 rm /var/lib/dhcp/*.lease || true
    2192 # We are best of deleting the whole folder.
    2193 rm -r /var/lib/dhcp/* || true
    2194 
    2195 # Better save than sorry.
    2196 # rm /etc/resolv.conf || true
    2197 echo "nameserver 192.168.0.1" > /etc/resolv.conf
    2198 
    2199 # Cleanup.
    2200 apt-get --yes autoremove --purge || true
    2201 apt-get --yes clean || true
    2202 
    2203 # Killing rsyslog so we can remove logs.
    2204 stop rsyslog || true
    2205 
    2206 # Delete logs and other stuff.
    2207 rm -r /tmp/* || true
    2208 rm /var/log/installer/* || true
    2209 rm -r /var/cache/apt/* || true
    2210 rm -r /var/lib/apt/lists/* || true
    2211 rm -r /var/log/installer || true
    2212 rm /var/lib/dpkg/*-old || true
    2213 rm /var/cache/debconf/*-old || true
    2214 # Erase rotated logs (usually wont appear unless you left your VM running for several days).
    2215 rm /var/log/*.[0-9] || true
    2216 rm /var/log/*.[0-9].gz || true
    2217 
    2218 # Truncate all log files, keeping user group and perms.
    2219 find /var/log -type f -exec cp /dev/null {} \;
    2220 
    2221 # TODO
    2222 # Which are safe?
    2223 # rm /usr/share/icons/nuoveXT2/icon-theme.cache
    2224 # cd /usr/share/locale &&  ls | grep -v en | xargs rm -r && cd /home/$USERNAME
    2225 # rm -r /usr/share/doc/* #(are we even allowed to do that, see licenses?)
    2226 
    2227 # Take care of development leaks and make resulting ova image smaller.
    2228 # Since VBox export works below the FS level it will keep deleted files (and the ova will stay large).
    2229 # This also ensure that possible leaks we deleted before are really deleted.
    2230 echo "Wiping free space. This can take a while."
    2231 dd if=/dev/zero of=./zerofile bs=1024 || true
    2232 
    2233 # Flush the zero-file to disk before removing it.
    2234 sync
    2235 
    2236 # Delete the zero-file.
    2237 rm ./zerofile || true
    2238 
    2239 # Flush again after rm.
    2240 sync
    2241 
    2242 # Delete bash history.
    2243 rm /home/$USERNAME/.bash_history
    2244 history -c
    2245 }
    2246 
    2247 
    2248 # SPLITOFF the whole Tor Browser related scripts should be moved into their own file
    2249 #          /home/user/TorBOX_source/TorBOX_Workstation/usr/local/bin/torbrowser-update
    2250 # Please keep in mind, we allow -update-torbrowser to run without root. If you ever make some changes,
    2251 # to ask_tb_update(), which require root, please disallow running the script without root.
    2252 ask_tb_update() {
    2253 #################################
    2254 # prompt user about TBB update.
    2255 #################################
    2256 cd /home/$USERNAME
    2257 rm -r tbbdownload/
    2258 sudo -u $USERNAME mkdir tbbdownload
    2259 cd tbbdownload
    2260 
    2261 echo "
    2262 #################################
    2263 # Getting latest version number
    2264 #################################
    2265 "
    2266 
    2267 sudo -u $USERNAME wget --output-document RecommendedTBBVersions https://check.torproject.org/RecommendedTBBVersions
    2268 TBBVERSION=`grep Linux-i686 RecommendedTBBVersions |egrep -v 'alpha|x86_64'|awk '{sub(/^"/,"")}1'|awk '{sub(/-Linux-i686",/,"")}1'|tail -1`
    2269 
    2270 echo "
    2271 #################################
    2272 # Getting currently installed version number
    2273 #################################
    2274 "
    2275 
    2276 # Will fail if the file does not exist. Will not break the script.
    2277 # TODO:
    2278 # - (proper) Lets hardcode the path to /home/$USERNAME/tor-browser_en-US/Docs/changelog ?
    2279 # - (proper) Needs to be changed/fixed in torcheck as well, since torcheck is currently broken.
    2280 #   (torcheck is in /usr/local/bin/torcheck and .. relative paths do not work there.)
    2281 TBBINSTALLEDVERSION=`head -1 ../tor-browser_en-US/Docs/changelog|awk -F '[()]' '{print $2}'`
    2282 
    2283 current="$TBBINSTALLEDVERSION"
    2284 check=""
    2285 
    2286 if [ "$current" != "$check" ];
    2287 then
    2288         echo "INFO: Successfully detected Tor Browser version."
    2289 else
    2290         echo "INFO: Could not determine the currently installed Tor Browser version."
    2291         echo "INFO: This could be either because none is installed or because the version format changed."
    2292         TBBINSTALLEDVERSION="UNKNOWN"
    2293 fi
    2294 
    2295 echo "Please close TorBrowswer if you want to upgrade!"
    2296 echo "TBB version $TBBINSTALLEDVERSION is currently installed. Do you want to replace it with $TBBVERSION?"
    2297 echo 'If your currently installed version is higher you are likely victim of a downgrade attack, SAY NO NOW!'
    2298 echo "If your currently installed version is lower you should upgrade, if it matches say no now."
    2299 echo "WARNING: YOUR BROWSER WILL BE KILLED."
    2300 echo "WARNING: YOUR WHOLE BROWSER PROFILE INCLUDING BOOKMARKS AND PASSWORDS WILL GET REPLACED!"
    2301 echo "INFO: The old browser and settings are automatically backed up"
    2302 echo "INFO: It's a good idea to delete old TBB backups once in a while if you are running low with disk space."
    2303 echo -n "Do you want to upgrade? [y/N]"
    2304 
    2305 read answer
    2306 
    2307 if test "$answer" != "Y" -a "$answer" != "y";
    2308 then
    2309         cd /home/$USERNAME
    2310         echo "INFO: Deleting temporary folder tbbdownload."
    2311         sudo -u $USERNAME rm -r tbbdownload
    2312         # Exit this function.
    2313         return
    2314 fi
    2315 
    2316 echo "
    2317 #################################
    2318 # Killing TorBrowser if it is still running.
    2319 #################################
    2320 "
    2321 
    2322 killall firefox
    2323 
    2324 echo "
    2325 #################################
    2326 # Starting TBB download and installation
    2327 #################################
    2328 "
    2329 
    2330 config_torbrowser
    2331 }
    2332 
    2333 
    2334 
    2335 uninstall_tw() {
    2336 cd /home/$USERNAME
    2337 cp /etc/init/tty6.conf.backup /etc/init/tty6.conf
    2338 cp /etc/network/interfaces.backup /etc/network/interfaces
    2339 cp /etc/sudoers.backup /etc/sudoers
    2340 chmod 0440 /etc/sudoers
    2341 
    2342 rm -r /etc/lighttpd/
    2343 mv /etc/lighttpd.backup/ /etc/lighttpd/
    2344 
    2345 sudo -u $USERNAME cp .bashrc.backup .bashrc
    2346 sudo -u $USERNAME cp .gtkrc-2.0.backup .gtkrc-2.0
    2347 sudo -u $USERNAME cp .profile.backup .profile
    2348 sudo -u $USERNAME cp .gnupg/gpg.conf.backup .gnupg/gpg.conf
    2349 
    2350 rm -r .xchat2/
    2351 rm -r .config/openbox/
    2352 rm -r tor-browser_en-US/
    2353 rm .config/libfm/libfm.conf
    2354 rm -r leaktest/
    2355 rm /usr/local/bin/leaktest
    2356 rm /usr/local/bin/torcheck
    2357 rm -r tbbdownload/
    2358 rm /usr/local/bin/{apt-get,gpg,ssh,torsocks,uwt,git,htpdate,usewithtor,wget}
    2359 echo "You need to fix /etc/resolv.conf manually!"
    2360 }
    2361 
    2362 
    2363 
    2364 ######################################################
    2365 # install TorBOX-Workstation
    2366 ######################################################
    2367 if [[ "$1" = "-install" ]]; then
    2368 root_check                 # Depends on nothing.
    2369 
    2370 set_sysctl                 # Depends on root_check, being run only once.
    2371 create_swap_file           # Depends on root_check, not being run again when in use.
    2372 config_uuids_fstab         # Depends on root_check, not being run again after adding new hdds.
    2373 config_etc                 # Depends on root_check. Provides UTC timezone.
    2374 create_fix_sources_list    # Depends on root_check, not being run after the user modified sources.list.
    2375 
    2376 # http://lifeonubuntu.com/how-to-prevent-server-daemons-from-starting-during-apt-get-install/
    2377 # Prevents Tor from connecting the the public Tor network while building
    2378 # (for bridge users). Should also take care of chroot mount getting locked
    2379 echo "#!/bin/sh
    2380 exit 101" > /usr/sbin/policy-rc.d
    2381 chmod 755 /usr/sbin/policy-rc.d
    2382 
    2383 apt_get                    # Depends on root_check, create_fix_sources_list, working internet connection, UTC.
    2384 config_grub                # Depends on root_check, being run only once.
    2385 set_dbusmachineid          # Depends on root_check, apt_get
    2386 
    2387 torsocks_patch             # Depends on root_check, working internet connection.
    2388 
    2389 base_desktop               # Depends on root_check, working internet connection.
    2390 config_audio               # Depends on base_desktop.
    2391 config_home                # Depends on being run only once.
    2392 config_openbox             # Depends on apt_get
    2393 create_gui_autostarts      # Depends on nothing.
    2394 config_pcmanfm             # Depends on apt_get
    2395 config_torbrowser          # Depends on working internet connection, calls create_tb_user_js
    2396 
    2397 install_uwt                # Depends on root_check.
    2398 install_uwt_wrappers       # Depends on root_check. Breaks internet connection!
    2399 
    2400 leaktest_tw                # Depends on nothing.
    2401 config_xchat               # Depends on nothing.
    2402 #+# #OptionalFeatureNr.2#
    2403 #optional_hiddenserver     # Depends on root_check.
    2404 
    2405 # Disabled because taken care by debootstrap
    2406 # TODO: what about other installation methods?
    2407 #        (proper) Should we not rather  drop other installation methods for simplicity
    2408 #                 and improved maintainability?
    2409 #create_torcheck_script    # Depends on root_check.
    2410 
    2411 modify_crontab             # Depends on nothing.
    2412 
    2413 firewall_setup             # Depends on root_check.
    2414 config_network             # Depends on root_check. Breaks internet connection!
    2415 
    2416 # make daemons start again
    2417 rm -f /usr/sbin/policy-rc.d
    2418 
    2419 create_rc_local            # Depends on root_check, not being run again /etc/rc.local got modified by the user.
    2420 slim_down                  # Depends on root_check, being last function.
    2421 
    2422 echo '
    2423 Script completed, this indicates neither success nor failure.
    2424 E.g.: Check that TBB downloaded successfully ("ls ~" will tell you)
    2425 
    2426 Do not forget to change VBox Adapter 1 to Internal Network, Name:"torbox"
    2427 ' >&2
    2428 exit 0
    2429 fi
    2430 
    2431 
    2432 
    2433 ################################################################
    2434 # update TorBOX-Workstation                                       #
    2435 ################################################################
    2436 if [[ "$1" = "-update" ]]; then
    2437 root_check
    2438 ## If this does not work or is not thorough enough, first -uninstall, then -install again
    2439 apt_get                    # Depends on root_check, working internet connection, UTC.
    2440 base_desktop               # Depends on root_check, working internet connection.
    2441 create_gui_autostarts      # Depends on nothing.
    2442 install_uwt                # Depends on root_check.
    2443 install_uwt_wrappers       # Depends on root_check. Breaks internet connection!
    2444 create_tb_user_js          # TODO: remove if it works: What is defunct?
    2445 leaktest_tw                # Depends on nothing.
    2446 #create_torcheck_script    # Depends on root_check.
    2447 modify_crontab             # Depends on nothing.
    2448 ask_tb_update              # calls config_torbrowser which calls create_tb_user_js
    2449 exit 0
    2450 fi
    2451 
    2452 
    2453 
    2454 ################################################################
    2455 # xchat                                                        #
    2456 ################################################################
    2457 if [[ "$1" = "-xchat" ]]; then
    2458 echo "INFO: Resetting your IRC XChat identity..."
    2459 killall xchat
    2460 rm -r .xchat2
    2461 config_xchat
    2462 echo "INFO: Done."
    2463 echo "INFO: Be sure to change your circuit before you reconnect to IRC!"
    2464 
    2465 exit 0
    2466 fi
    2467 
    2468 
    2469 
    2470 ################################################################
    2471 # update-torbrowser                                            #
    2472 ################################################################
    2473 if [[ "$1" = "-update-torbrowser" ]]; then
    2474 ask_tb_update # calls config_torbrowser which calls create_tb_user_js
    2475 exit 0
    2476 fi
    2477 
    2478 
    2479 
    2480 ################################################################
    2481 # -hiddenserver                                                #
    2482 ################################################################
    2483 if [[ "$1" = "-hiddenserver" ]]; then
    2484 root_check
    2485 optional_hiddenserver
    2486 exit 0
    2487 fi
    2488 
    2489 
    2490 
    2491 ################################################################
    2492 # -uwt                                                         #
    2493 ################################################################
    2494 if [[ "$1" = "-uwt" ]]; then
    2495 root_check
    2496 install_uwt
    2497 install_uwt_wrappers
    2498 create_tb_user_js
    2499 exit 0
    2500 fi
    2501 
    2502 
    2503 
    2504 ################################################################
    2505 # uninstall TorBOX-Workstation                                    #
    2506 ################################################################
    2507 if [[ "$1" = "-uninstall" ]]; then
    2508 root_check
    2509 uninstall_tw
    2510 exit 0
    2511 fi
    2512 
    2513 
    2514 
    2515 ################################################################
    2516 # help                                                         #
    2517 ################################################################
    2518 if [[ "$1" = "-help" ]]; then
    2519 script_help
    2520 exit 0
    2521 fi
    2522 
    2523 
    2524 
    2525 ################################################################
    2526 # no option chosen                                             #
    2527 ################################################################
    2528 if [[ "$1" = "" ]]; then
    2529 echo "
    2530 INFO: No option chosen.
    2531 
    2532 Please run TorBOX-Workstation -help to find out more.
    2533 "
    2534 
    2535 exit 0
    2536 fi
    2537 ###################################################################################################################
    2538 
    2539 # TODO: Add this.
    2540 #
    2541 # Touching the default browser.startup.homepage is not a good idea, since TorButton sets the
    2542 # "up to date" or "not up to date" homepage.
    2543 #
    2544 #  we don't need that anymore, with torcheck implemented we can keep the readme as the homepage
    2545 #   (proper) When TorButton is updated and version format is changed, torcheck in tbb will still
    2546 #            continue to work.
    2547 #             in that case zenity should prompt the user to visit check.tpo. Not that the code below doesn't help in that case either.
    2548 #               (proper) When visiting check.torproject.org manually, Tor Browser will not notify about updates. Afaik this only happens
    2549 #                        on startup and the default homepage has not been touched and still is check.tpo.
    2550 #                        That code would help in that case. If Tor Button gets updated, everyone gets the Tor Button update and if the
    2551 #                        version format changes at the same time, Tor Buttons update notification will continue to work.
    2552 #               (proper) Now that torcheck uses TransPort instant of SocksPort (see torcheck script comments), leaving check.tpo in
    2553 #                        Tor Browser would also demonstrate, that stream isolation is functional.
    2554 #                           The Tor Button update check used to be broken and report false positives when being run behind a transparent proxy and probably socks port, we should test that again. If it's still broken that's a very good reason to keep the default home page changed.
    2555 #                               (proper) Test: I used my archived old tor-browser-gnu-linux-i686-2.2.35-12-dev-en-US.tar.gz,
    2556 #                                        used the fixed startup script and my revised user.js. Result: Update check works when using SocksPort 192.168.0.1 9100.
    2557 #                               (proper) The problem with the code below is also, it opens Tor Browser and the readme only once after boot.
    2558 #                                        But we should show the readme/news each time the users starts Tor Browser. We could let the script run permanently,
    2559 #                                        safe the Tor Browser pid in memory and each time there is a new pid open the readme.
    2560 
    2561 #!/bin/bash
    2562 #if [ "$(pgrep firefox)" = "" ]; then
    2563 #   echo "Starting TorBrowser"
    2564 #   ~/tor-browser_en-US/start-tor-browser &
    2565 #else
    2566 #   echo "TBB is already running"
    2567 #fi
    2568 #
    2569 #while [ "$(xlsclients | grep firefox)" = "" ]
    2570 #do
    2571 #   sleep 3
    2572 #done
    2573 #
    2574 #echo "Opening TorBOX Readme"
    2575 #~/tor-browser_en-US/App/Firefox/firefox --profile Data/profile -new-tab https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Readme
    2576 }}}
     5https://sourceforge.net/p/whonix/wiki/BuildDocumentation/