almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Keep ssh tunnel open with autossh, and give root user ssh keys so unprivileged user cant access the host

Browse source
This commit is contained in:
Micah Lee 2021-07-14 11:36:13 -07:00
parent 3f76211459
commit 2c2f87593c
No known key found for this signature in database
GPG key ID: 403C2657CD994F73
6 changed files with 100 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
dangerzone-converter/Dockerfile
View file

@ -10,72 +10,72 @@ RUN apk -U upgrade && \
poppler-utils \
py3-magic \
py3-pillow \
sudo
# tesseract-ocr \
# tesseract-ocr-data-afr \
# tesseract-ocr-data-ara \
# tesseract-ocr-data-aze \
# tesseract-ocr-data-bel \
# tesseract-ocr-data-ben \
# tesseract-ocr-data-bul \
# tesseract-ocr-data-cat \
# tesseract-ocr-data-ces \
# tesseract-ocr-data-chi_sim \
# tesseract-ocr-data-chi_tra \
# tesseract-ocr-data-chr \
# tesseract-ocr-data-dan \
# tesseract-ocr-data-deu \
# tesseract-ocr-data-ell \
# tesseract-ocr-data-enm \
# tesseract-ocr-data-epo \
# tesseract-ocr-data-equ \
# tesseract-ocr-data-est \
# tesseract-ocr-data-eus \
# tesseract-ocr-data-fin \
# tesseract-ocr-data-fra \
# tesseract-ocr-data-frk \
# tesseract-ocr-data-frm \
# tesseract-ocr-data-glg \
# tesseract-ocr-data-grc \
# tesseract-ocr-data-heb \
# tesseract-ocr-data-hin \
# tesseract-ocr-data-hrv \
# tesseract-ocr-data-hun \
# tesseract-ocr-data-ind \
# tesseract-ocr-data-isl \
# tesseract-ocr-data-ita \
# tesseract-ocr-data-ita_old \
# tesseract-ocr-data-jpn \
# tesseract-ocr-data-kan \
# tesseract-ocr-data-kat \
# tesseract-ocr-data-kor \
# tesseract-ocr-data-lav \
# tesseract-ocr-data-lit \
# tesseract-ocr-data-mal \
# tesseract-ocr-data-mkd \
# tesseract-ocr-data-mlt \
# tesseract-ocr-data-msa \
# tesseract-ocr-data-nld \
# tesseract-ocr-data-nor \
# tesseract-ocr-data-pol \
# tesseract-ocr-data-por \
# tesseract-ocr-data-ron \
# tesseract-ocr-data-rus \
# tesseract-ocr-data-slk \
# tesseract-ocr-data-slv \
# tesseract-ocr-data-spa \
# tesseract-ocr-data-spa_old \
# tesseract-ocr-data-sqi \
# tesseract-ocr-data-srp \
# tesseract-ocr-data-swa \
# tesseract-ocr-data-swe \
# tesseract-ocr-data-tam \
# tesseract-ocr-data-tel \
# tesseract-ocr-data-tgl \
# tesseract-ocr-data-tha \
# tesseract-ocr-data-tur \
# tesseract-ocr-data-ukr \
# tesseract-ocr-data-vie
sudo \
tesseract-ocr \
tesseract-ocr-data-afr \
tesseract-ocr-data-ara \
tesseract-ocr-data-aze \
tesseract-ocr-data-bel \
tesseract-ocr-data-ben \
tesseract-ocr-data-bul \
tesseract-ocr-data-cat \
tesseract-ocr-data-ces \
tesseract-ocr-data-chi_sim \
tesseract-ocr-data-chi_tra \
tesseract-ocr-data-chr \
tesseract-ocr-data-dan \
tesseract-ocr-data-deu \
tesseract-ocr-data-ell \
tesseract-ocr-data-enm \
tesseract-ocr-data-epo \
tesseract-ocr-data-equ \
tesseract-ocr-data-est \
tesseract-ocr-data-eus \
tesseract-ocr-data-fin \
tesseract-ocr-data-fra \
tesseract-ocr-data-frk \
tesseract-ocr-data-frm \
tesseract-ocr-data-glg \
tesseract-ocr-data-grc \
tesseract-ocr-data-heb \
tesseract-ocr-data-hin \
tesseract-ocr-data-hrv \
tesseract-ocr-data-hun \
tesseract-ocr-data-ind \
tesseract-ocr-data-isl \
tesseract-ocr-data-ita \
tesseract-ocr-data-ita_old \
tesseract-ocr-data-jpn \
tesseract-ocr-data-kan \
tesseract-ocr-data-kat \
tesseract-ocr-data-kor \
tesseract-ocr-data-lav \
tesseract-ocr-data-lit \
tesseract-ocr-data-mal \
tesseract-ocr-data-mkd \
tesseract-ocr-data-mlt \
tesseract-ocr-data-msa \
tesseract-ocr-data-nld \
tesseract-ocr-data-nor \
tesseract-ocr-data-pol \
tesseract-ocr-data-por \
tesseract-ocr-data-ron \
tesseract-ocr-data-rus \
tesseract-ocr-data-slk \
tesseract-ocr-data-slv \
tesseract-ocr-data-spa \
tesseract-ocr-data-spa_old \
tesseract-ocr-data-sqi \
tesseract-ocr-data-srp \
tesseract-ocr-data-swa \
tesseract-ocr-data-swe \
tesseract-ocr-data-tam \
tesseract-ocr-data-tel \
tesseract-ocr-data-tgl \
tesseract-ocr-data-tha \
tesseract-ocr-data-tur \
tesseract-ocr-data-ukr \
tesseract-ocr-data-vie
# Install pdftk
RUN \

7
dangerzone/gui/vm.py
View file

@ -230,9 +230,10 @@ class Vm(QtCore.QObject):
args_str = " ".join(pipes.quote(s) for s in args)
print("> " + args_str)
# To be able to login to the VM from the console, remove the stdout, stderr, and stdin args below
self.hyperkit_p = subprocess.Popen(
args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
)
# self.hyperkit_p = subprocess.Popen(
# args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
# )
self.hyperkit_p = subprocess.Popen(args)
# Wait for SSH thread
self.wait_t = WaitForSsh(self.sshd_tunnel_port)

2
install/vm-builder/etc/apk/world
View file

@ -1,6 +1,6 @@
alpine-base
podman
dropbear
sshfs
autossh
python3
sudo

4
install/vm-builder/etc/init.d/dangerzone
View file

@ -8,10 +8,6 @@ start() {
# Create user
/usr/sbin/adduser -D -u 1001 user
# Make folder for user mounts
mkdir /home/user/mnt
chown user:user /home/user/mnt
# Move containers into home dir
mkdir -p /home/user/.local/share
mv /etc/container-data /home/user/.local/share/containers

54
install/vm-builder/etc/ssh-to-host.py
View file

@ -16,53 +16,55 @@ def main():
info = json.loads(s[0 : s.find(b"\0")])
# Create SSH files
os.makedirs("/home/user/.ssh", exist_ok=True)
# Create root's SSH files
os.makedirs("/root/.ssh", exist_ok=True)
with open("/home/user/.ssh/id_ed25519", "w") as f:
with open("/root/.ssh/id_ed25519", "w") as f:
f.write(info["id_ed25519"])
f.write("\n")
with open("/home/user/.ssh/id_ed25519.pub", "w") as f:
with open("/root/.ssh/id_ed25519.pub", "w") as f:
f.write(info["id_ed25519.pub"])
f.write("\n")
with open("/root/.ssh/config", "w") as f:
f.write("Host hostbox\n")
f.write(f" Hostname {info['ip']}\n")
f.write(f" Port {info['port']}\n")
f.write(f" User {info['user']}\n")
f.write(f" RemoteForward {info['tunnel_port']} 127.0.0.1:22\n")
f.write(" IdentityFile /root/.ssh/id_ed25519\n")
f.write(" ServerAliveInterval 30\n")
f.write(" ServerAliveCountMax 3\n")
f.write(" StrictHostKeyChecking no\n")
f.write("\n")
os.chmod("/root/.ssh", 0o700)
os.chmod("/root/.ssh/id_ed25519", 0o600)
os.chmod("/root/.ssh/id_ed25519.pub", 0o600)
os.chmod("/root/.ssh/config", 0o600)
# Create user's SSH files
os.makedirs("/home/user/.ssh", exist_ok=True)
with open("/home/user/.ssh/authorized_keys", "w") as f:
f.write(info["id_ed25519.pub"])
f.write("\n")
with open("/home/user/.ssh/config", "w") as f:
f.write("Host hostbox\n")
f.write(f" Hostname {info['ip']}\n")
f.write(f" Port {info['port']}\n")
f.write(f" User {info['user']}\n")
f.write(" IdentityFile /home/user/.ssh/id_ed25519\n")
f.write("\n")
os.chmod("/home/user/.ssh", 0o700)
os.chmod("/home/user/.ssh/id_ed25519", 0o600)
os.chmod("/home/user/.ssh/id_ed25519.pub", 0o644)
os.chmod("/home/user/.ssh/authorized_keys", 0o600)
os.chmod("/home/user/.ssh/config", 0o600)
shutil.chown("/home/user/.ssh", "user", "user")
shutil.chown("/home/user/.ssh/id_ed25519", "user", "user")
shutil.chown("/home/user/.ssh/id_ed25519.pub", "user", "user")
shutil.chown("/home/user/.ssh/authorized_keys", "user", "user")
shutil.chown("/home/user/.ssh/config", "user", "user")
# Start SSH reverse port forward
subprocess.run(
[
"/usr/bin/sudo",
"-u",
"user",
"/usr/bin/ssh",
"-o",
"StrictHostKeyChecking=no",
"/usr/bin/autossh",
"-M",
"0",
"-f",
"-N",
"-R",
f"{info['tunnel_port']}:127.0.0.1:22",
"hostbox",
]
)

2
install/vm-builder/mkimg.dangerzone.sh
View file

@ -9,5 +9,5 @@ profile_dangerzone() {
kernel_cmdline="console=tty0 console=ttyS0,115200"
syslinux_serial="0 115200"
apkovl="genapkovl-dangerzone.sh"
apks="$apks podman dropbear sshfs python3 sudo"
apks="$apks podman dropbear autossh python3 sudo"
}