wiki:doc/TorBOX/Dev/TWScript

Version 13 (modified by cypherpunks, 6 years ago) (diff)

remove changelog from readme (so I don't have to keep it updated...)

#!/bin/bash
# ~/tor-workstation.sh

# Automatically transform a fresh minimal Ubuntu Server 11.10 into a "Tor-Workstation" to be used in TorBOX:
# https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/

# The script is tested and complete but it assumes things like a working internet connection) and doesn't 
# fail gracefully. Only run on a clean VM. Make a snapshot first so you don't have to reinstall if things break! 
# Username must be "user", hostname "ubuntu"!

# List of modified files (might be outdated, doesn't include files that got installed by the script)
# /etc/localtime
# /etc/fonts/conf.d/10-sub-pixel-rgb.conf
# /etc/init/tty6.conf
# /etc/sudoers
# ./config/*
# .xinitrc
# .profile
# .bashrc
# /etc/resolv.conf
# /etc/network/interfaces

# Check if we are root
  if [ "$(id -u)" != "0" ]; then
     echo "This script must be run as root (sudo)"
     exit 1
  fi

# change to home dir so relative paths work correctly
cd /home/user

# update system
apt-get update && apt-get --yes dist-upgrade

# remove problematic software
apt-get --yes remove canonical-census || true
apt-get --yes remove ntpdate

# install base desktop
apt-get --yes install xinit openbox obmenu tint2 libasound2 lxappearance roxterm mingetty lxde-icon-theme unrar thttpd alsa mplayer leafpad
apt-get --yes install --no-install-recommends pcmanfm evince file-roller xchat gpicview gnome-mplayer

# remove unnecessary packages to slim down the system
apt-get --yes remove --purge xserver-xorg-video-all xserver-xorg-video-ati xserver-xorg-video-fbdev xserver-xorg-video-geode xserver-xorg-video-intel xserver-xorg-video-mach64 xserver-xorg-video-mga xserver-xorg-video-neomagic xserver-xorg-video-nouveau xserver-xorg-video-openchrome xserver-xorg-video-qxl xserver-xorg-video-r128  xserver-xorg-video-radeon xserver-xorg-video-s3 xserver-xorg-video-savage xserver-xorg-video-siliconmotion xserver-xorg-video-sis xserver-xorg-video-sisusb xserver-xorg-video-tdfx xserver-xorg-video-trident xserver-xorg-video-vmware
# Not sure about those:
# apt-get --yes remove --purge aptitude command-not-found* mlocate parted rpm ufw geoip-database telnet sound-theme-freedesktop
# apt-get --yes remove --purge fuse manpages man-db bash-completion

# in case we forgot to set the time during installation
cp /usr/share/zoneinfo/UTC /etc/localtime

# enable sub pixel rendering
cp /etc/fonts/conf.avail/10-sub-pixel-rgb.conf /etc/fonts/conf.d/

# Auto-login on tty6
ed -s /etc/init/tty6.conf <<< $',s/exec \/sbin\/getty -8 38400 tty6/exec \/sbin\/mingetty --autologin user --noclear tty6/g\nw'

# Enable sound
usermod -a -G audio user
amixer set Master 70 unmute
amixer set PCM 70 unmute

# Allow user to reboot and poweroff without having to supply a password.
# Is this OK? Race condition, syntax error detection do not apply here and we set correct permission just to make sure.
echo "user ubuntu=NOPASSWD: /sbin/shutdown -h now,/sbin/reboot,/sbin/poweroff" >> /etc/sudoers
chmod 0440 /etc/sudoers

echo '
alias reboot="sudo reboot"
alias poweroff="sudo poweroff"' | sudo -u user tee -a .bashrc

# Configuring openbox desktop
sudo -u user mkdir -p .config/openbox
sudo -u user mkdir .config/tint2
sudo -u user cp /usr/share/doc/tint2/examples/icon_and_text_1.tint2rc /home/user/.config/tint2/tint2rc
sudo -u user cp /etc/xdg/openbox/rc.xml .config/openbox/

echo " tint2 &
exec openbox-session" | sudo -u user tee ~/.xinitrc

# Fix ugly corners in tint2rc
sudo -u user ed -s .config/tint2/tint2rc <<< $',s/rounded = 7/rounded = 0/g\nw'

# Set up theme and icons for gtk2 apps; gtk3 TODO!
echo 'gtk-theme-name="Weightless-industry"
gtk-icon-theme-name="nuoveXT2"
gtk-font-name="Sans 10"
gtk-cursor-theme-size=0
gtk-toolbar-style=GTK_TOOLBAR_BOTH
gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=1
gtk-enable-input-feedback-sounds=1
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle="hintfull"
include "/home/user/.gtkrc-2.0.mine"' | sudo -u user tee .gtkrc-2.0

# configure pcmanfm
sudo -u user mkdir -p .config/libfm/

echo '[config]
single_click=0
use_trash=0
confirm_del=1
show_internal_volumes=0
terminal=x-terminal-emulator -e %s
archiver=file-roller
thumbnail_local=1
thumbnail_max=2048

[ui]
big_icon_size=48
small_icon_size=24
pane_icon_size=24
thumbnail_size=128
show_thumbnail=1' | sudo -u user tee .config/libfm/libfm.conf


# auto-start X, we don't need a display manager
echo '
# if logging into tty6 (which will autologin), run startx
if [ -z "$DISPLAY" ] && [ $(tty) = /dev/tty6 ] ; then
    startx ;
fi' | sudo -u user tee -a .profile

# maximize TorBrowser windows
( echo '/<applications>/a'; echo '<application class="Firefox*" role="browser"> <maximized>yes</maximized> </application>'; echo '.'; echo 'wq') | sudo -u user ed -s .config/openbox/rc.xml 

# Win+Space shows Openbox menu.
( echo '/<keyboard>/a'; echo '<keybind key="W-space"><action name="ShowMenu"><menu>root-menu</menu></action></keybind>'; echo '.'; echo 'wq') | sudo -u user ed -s .config/openbox/rc.xml 

# configure the openbox right click menu
echo '<?xml version="1.0" encoding="utf-8"?>
<openbox_menu xmlns="http://openbox.org/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://openbox.org/                 file:///usr/share/openbox/menu.xsd">
        <menu id="root-menu" label="Openbox 3">
                <item label="Terminal">
                        <action name="Execute">
                                <execute>
                                        x-terminal-emulator
                                </execute>
                        </action>
                </item>
                <item label="TorBrowser">
                        <action name="Execute">
                                <execute>
                                        /home/user/tor-browser_en-US/start-tor-browser 
                                </execute>
                        </action>
                </item>
                <item label="File Manager">
                        <action name="Execute">
                                <execute>
                                        pcmanfm
                                </execute>
                        </action>
                </item>
                <menu id="root-menu-1" label="Applications">
                        <item label="Archive Manager">
                                <action name="Execute">
                                        <execute>
                                                file-roller
                                        </execute>
                                </action>
                        </item>
                        <item label="IRC Client">
                                <action name="Execute">
                                        <execute>
                                                xchat
                                        </execute>
                                </action>
                        </item>
                        <item label="Media Player">
                                <action name="Execute">
                                        <execute>
                                                gnome-mplayer
                                        </execute>
                                </action>
                        </item>
                        <item label="PDF Viewer">
                                <action name="Execute">
                                        <execute>
                                                evince
                                        </execute>
                                </action>
                        </item>
                        <item label="Text Editor">
                                <action name="Execute">
                                        <execute>
                                                leafpad
                                        </execute>
                                </action>
                        </item>
                </menu>
                <separator/>
                <menu id="client-list-menu"/>
                <separator/>
                <item label="obmenu">
                        <action name="Execute">
                                <execute>
                                        obmenu
                                </execute>
                        </action>
                </item>
                <item label="obconf">
                        <action name="Execute">
                                <execute>
                                        obconf
                                </execute>
                        </action>
                </item>
                <item label="lxappearance">
                        <action name="Execute">
                                <execute>
                                        lxappearance
                                </execute>
                        </action>
                </item>
                <item label="Reconfigure">
                        <action name="Reconfigure"/>
                </item>
                <item label="Restart">
                        <action name="Restart"/>
                </item>
                <separator/>
                <item label="Exit">
                        <action name="Exit"/>
                </item>
                <item label="Shut down">
                        <action name="Execute">
                                <execute>
                                        sudo /sbin/poweroff
                                </execute>
                        </action>
                </item>
        </menu>
</openbox_menu>' | sudo -u user tee .config/openbox/menu.xml


# Set up thttpd for hidden service. This is disabled by default
# remove "<<COMMENT1" and "COMMENT1" if you want to install a hidden service
<<COMMENT1
cp -n /etc/default/thttpd /etc/default/thttpd.backup
cp -n /etc/thttpd/thttpd.conf /etc/thttpd/thttpd.conf.backup

echo "ENABLED=yes" > /etc/default/thttpd

echo " # see /etc/thttpd/thttpd.conf.backup for comments and more options
port=12345
dir=/var/www
chroot
user=www-data
logfile=/var/log/thttpd.log" > /etc/thttpd/thttpd.conf

/etc/init.d/thttpd restart
COMMENT1

# Install TBB and patch it. This does not necessarily install the latest version!
sudo -u user wget https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz
# this doesn't replace gpg verification!
echo "5b657ffa3724658c4225493c868fbe8938eec8f3db3017988857c416d075af10  tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz" | sudo -u user tee tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz.sha256
sudo -u user sha256sum -c tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz.sha256 ||rm tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz*

if [ -f tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz ];
then 
sudo -u user tar -xzvf tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz
sudo -u user ed -s tor-browser_en-US/start-tor-browser <<< $',s/.\/App\/vidalia --datadir Data\/Vidalia\//.\/App\/Firefox\/firefox --profile Data\/profile/g\nw'
sudo -u user rm ./tor-browser_en-US/App/{tor,vidalia}
sudo -u user rm -r ./tor-browser_en-US/Data/{Tor,Vidalia}
sudo -u user rm -r ./tor-browser_en-US/Docs/{Tor,Vidalia,Qt,README-TorBrowserBundle}
sudo -u user rm -r ./tor-browser_en-US/Lib/*
echo 'user_pref("browser.startup.homepage", "file:///home/user/README.html");
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.custom.socks_host", "");
user_pref("extensions.torbutton.socks_host", "");
user_pref("network.proxy.socks", "");' | sudo -u user tee ./tor-browser_en-US/Data/profile/user.js
rm tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz*
else
touch TB_download_failed-checksum_mismatch
fi

#Drop README.html
echo '<h1>Welcome to TorBOX-WorkstationVM 0.1</h1>
Development Preview. Do not rely on it for strong anonymity.</b>
TorBOX Homepage:</br>https://trac.torproject.org/projects/tor/wiki/doc/TorBOX 
<h2>Checklist</h2>
<h4>1) If you want to change the keyboard layout from the default "us":</h4>
Open a Terminal and run</br>
<font color="00FF00">KEYMAP=us && setxkbmap $KEYMAP && echo "setxkbmap $KEYMAP &" > ~/.config/openbox/autostart</font></br>
Replace "us" with your country code.
<h4>2) Change the default password!</h4>
The current password is "changeme"</br>
To change it open a Terminal and run <font color="00FF00">passwd</font>.
<h4>3) Verify you are connected to Tor:</h4>
https://check.torproject.org</br>
Note that this site may falsely claim that updates are available. This is because torcheck was written for TBB and does not support the transparent proxy mode.
<h2>Warnings and notes</h2>
<LI>To prevent against time zone leaks, the clock was set to UTC.
<LI>Keep TB updated, verify the download with gpg! Regularly check https://blog.torproject.org for news!
<LI>Use offline updates if you want to install large packages such as libreoffice.
<LI>Please do not use torrents!' > ./README.html

echo "setting up network, if you use ssh, the session will disconnect"
echo "nameserver 192.168.0.1" > /etc/resolv.conf
echo '# for more information, see interfaces(5)
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
# increment last octet on additional workstations
address 192.168.0.2
       netmask 255.255.255.0
       network 192.168.0.0
       broadcast 192.168.0.255
       gateway 192.168.0.1' > /etc/network/interfaces

/etc/init.d/networking restart

# Cleanup
apt-get --yes remove --purge openssh-server
apt-get --yes autoremove --purge
apt-get --yes clean 
rm -r /var/log/auth.log 
rm -r /tmp/*

# which are safe?
# rm -r /var/log/*
# rm -r /usr/src/*
# rm -r /var/cache/apt/*
# rm -r /usr/share/doc/*
# rm /usr/share/icons/nuoveXT2/icon-theme.cache
# cd /usr/share/locale &&  ls | grep -v en | xargs rm -r && cd /home/user
# rm -r /usr/share/doc/* #(are we even allowed to do that, see licenses?)

# Since VBox export works below the FS level it will keep deleted files (and the ova will stay large). 
# Fill remaining free space with zeros. This also ensure that possible leaks we deleted before are really deleted.
dd if=/dev/zero of=./zerofile
rm zerofile
rm .bash_history

# create directory for torbox documentations, files such as this script.
mkdir /usr/share/doc/torbox

echo '


Script completed, this indicates neither success nor failure.
E.g.: Check that TBB downloaded successfully ("ls ~" will tell you)

A few final manual steps need to be done:

Manually move the script to /usr/share/doc/torbox,
Clear .bash_history
Do not forget to set the password to changeme.
Finally: Power down, change VBox Adapter 1 to Internal Network, Name:"torbox"
Test the ova before release!'