From 9fcb3045453575b2d9252c3c084ef89756dc68b5 Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Tue, 27 Jul 2021 10:54:17 -0700 Subject: [PATCH] Lockdown ssh, and also temporarily comment out deleting containers on ISO build --- dangerzone/gui/vm.py | 15 ++++++++++----- install/vm-builder/build-iso.sh | 4 +++- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/dangerzone/gui/vm.py b/dangerzone/gui/vm.py index 2f18841..e69a7ab 100644 --- a/dangerzone/gui/vm.py +++ b/dangerzone/gui/vm.py @@ -153,6 +153,8 @@ class Vm(QtCore.QObject): "UseDNS=no", "-o", f"AuthorizedKeysFile={self.ssh_client_pubkey_path}", + "-o", + "ForceCommand=/sbin/nologin", ] args_str = " ".join(pipes.quote(s) for s in args) print("> " + args_str) @@ -229,11 +231,14 @@ class Vm(QtCore.QObject): ] args_str = " ".join(pipes.quote(s) for s in args) print("> " + args_str) - # To be able to login to the VM from the console, remove the stdout, stderr, and stdin args below - # self.hyperkit_p = subprocess.Popen( - # args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull - # ) - self.hyperkit_p = subprocess.Popen(args) + + # Start the VM with the ability to login + # self.hyperkit_p = subprocess.Popen(args) + + # Start the VM without ability to login + self.hyperkit_p = subprocess.Popen( + args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull + ) # Wait for SSH thread self.wait_t = WaitForSsh(self.sshd_tunnel_port) diff --git a/install/vm-builder/build-iso.sh b/install/vm-builder/build-iso.sh index abdae3d..e314726 100755 --- a/install/vm-builder/build-iso.sh +++ b/install/vm-builder/build-iso.sh @@ -5,7 +5,9 @@ sudo modprobe fuse sudo modprobe tun sudo rc-update add cgroups sudo rc-service cgroups start -sudo -u user podman system prune -a -f + +# Temporarily comment this out to speed up building ISOs in dev +# sudo -u user podman system prune -a -f # Build the podman container cd /opt/dangerzone-converter