diff options
authorTails developers <>2014-06-24 10:47:16 +0000
committerTails developers <>2014-06-24 10:47:16 +0000
commitd4c4a3454f3e2aad6d0260822b4ff4e15c9fd180 (patch)
parent95c1b500624a4ed8c439ac06f415370c9c19184f (diff)
parent700888d9b9641ba2256b06f51dae09353dafcb3e (diff)
Merge branch 'bugfix/7345-upgrade-from-iso-from-1.0-to-1.1' into devel
8 files changed, 122 insertions, 27 deletions
diff --git a/config/binary_local-hooks/40-include_syslinux_in_ISO_filesystem b/config/binary_local-hooks/40-include_syslinux_in_ISO_filesystem
new file mode 100755
index 0000000..6b74f9a
--- /dev/null
+++ b/config/binary_local-hooks/40-include_syslinux_in_ISO_filesystem
@@ -0,0 +1,33 @@
+set -e
+# Including common functions
+. "${LB_BASE:-/usr/share/live/build}"/scripts/
+# Setting static variables
+DESCRIPTION="$(Echo 'including syslinux in the ISO filesystem')"
+# Reading configuration files
+Read_conffiles config/all config/bootstrap config/common config/binary
+# Safeguards
+[ "${LB_BOOTLOADER}" = "syslinux" ] || exit 0
+[ "${LB_ARCHITECTURE}" = "i386" ] || exit 0
+# Seems like we'll have work to do
+Echo_message 'including syslinux in the ISO filesystem'
+# Variables
+# Main
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
index 1cc361f..aeb936f 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
@@ -1,6 +1,6 @@
-Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar
+Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
-Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend
+Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
diff --git a/config/chroot_local-includes/usr/local/bin/tails-upgrade-frontend-wrapper b/config/chroot_local-includes/usr/local/bin/tails-upgrade-frontend-wrapper
index 75cce5e..978958b 100755
--- a/config/chroot_local-includes/usr/local/bin/tails-upgrade-frontend-wrapper
+++ b/config/chroot_local-includes/usr/local/bin/tails-upgrade-frontend-wrapper
@@ -69,5 +69,9 @@ sleep 30
check_free_memory "$MIN_MEMFREE" "$MIN_TOTAL_MEMFREE"
xhost +SI:localuser:"$RUN_AS_USER"
-gksudo -u "$RUN_AS_USER" "/usr/bin/tails-upgrade-frontend $@"
+if [ $# -gt 0 ] ; then
+ gksudo -u "$RUN_AS_USER" "/usr/bin/tails-upgrade-frontend $@"
+ gksudo -u "$RUN_AS_USER" /usr/bin/tails-upgrade-frontend
xhost -SI:localuser:"$RUN_AS_USER"
diff --git a/features/usb_install.feature b/features/usb_install.feature
index 72415e7..cdf15a9 100644
--- a/features/usb_install.feature
+++ b/features/usb_install.feature
@@ -227,7 +227,24 @@ Feature: Installing Tails to a USB drive, upgrading it, and using persistence
And the expected persistent files are present in the filesystem
- Scenario: Upgrading an old Tails USB installation from an ISO image
+ Scenario: Upgrading an old Tails USB installation from an ISO image, running on the old version
+ Given a computer
+ And I clone USB drive "old" to a new USB drive "to_upgrade"
+ And the computer is set to boot from USB drive "old"
+ And the network is unplugged
+ And I setup a filesystem share containing the Tails ISO
+ When I start the computer
+ And the computer boots Tails
+ And I log in to a new session
+ And GNOME has started
+ And all notifications have disappeared
+ And I plug USB drive "to_upgrade"
+ And I do a "Upgrade from ISO" on USB drive "to_upgrade"
+ Then Tails is installed on USB drive "to_upgrade"
+ And I unplug USB drive "to_upgrade"
+ @keep_volumes
+ Scenario: Upgrading an old Tails USB installation from an ISO image, running on the new version
Given a computer
And I clone USB drive "old" to a new USB drive "to_upgrade"
And the computer is set to boot from the Tails DVD
diff --git a/wiki/src/contribute/design/incremental_upgrades.mdwn b/wiki/src/contribute/design/incremental_upgrades.mdwn
index 6d25058..5b434e1 100644
--- a/wiki/src/contribute/design/incremental_upgrades.mdwn
+++ b/wiki/src/contribute/design/incremental_upgrades.mdwn
@@ -168,8 +168,8 @@ The initial IUK generator will ship those files in every IUK:
* `system.tar` contains files that are already compressed
(e.g. kernel, initrd, `*.squashfs`)
-* `boot.tar.bz2` contains files that are not compressed already
- (that is the syslinux configuration)
+* `boot.tar.bz2` contains files that are not compressed yet
+ (that is: syslinux configuration, modules and utilities)
These are implementation details the IUK installer software must not
rely upon.
@@ -427,6 +427,12 @@ medium read-write.
* Delete files that are listed in the `delete_files` control field.
* Append the new SquashFS diff file name to the `live/Tails.module`
file, in the Tails system partition.
+* Upgrade syslinux with the binary found in `utils/linux/syslinux` on
+ the Tails system partition. Likewise, upgrade the boot device's MBR
+ with the one found in `utils/mbr/mbr.bin` on the Tails system
+ partition. This ensures that the installed version of syslinux
+ matches the version of the COM32 modules that were shipped by the
+ IUK.
Detailed executable scenarios describe and test the behaviour of this
piece of software in Cucumber-style, using [[!cpan
@@ -679,8 +685,9 @@ fix this.
## Privilege separation
-The default Live user (`amnesia`) runs the upgrade frontend as the
-dedicated `tails-upgrade-frontend` user, who:
+The default Live user (`amnesia`) is allowed to run the upgrade
+frontend, without arguments, as the dedicated `tails-upgrade-frontend`
+user, who itself:
* is allowed to run the `tails-shutdown-network` and `/sbin/reboot`
programs, using passwordless sudo, as any user;
@@ -696,10 +703,21 @@ dedicated `tails-upgrade-frontend` user, who:
The `tails-install-iuk` user is allowed to run, using passwordless
sudo, every command required by its task (currently: `chmod`, `cp`,
-`mkdir`, `mktemp`, `mount`, `rm` and `tar`) with any arguments. It is
-a member of the `tails-iuk-get-target-file` group, which allows it to
+`dd`, `mkdir`, `mktemp`, `mount`, `rm`, `tar` and
+`/lib/live/mount/medium/utils/linux/syslinux`) with any arguments.
+It is a member of the `tails-iuk-get-target-file` group, which allows it to
read the files downloaded by the `tails-iuk-get-target-file` program.
+## Running syslinux after applying an IUK
+Anyone who can feed `tails-install-iuk` with an arbitrary IUK can run
+arbitrary code as root, by storing the attack code in one of the
+tarballs contained in the IUK, as `utils/linux/syslinux`. This does
+not introduce new security risks: the very same adversary could plant
+a persistent rootkit anyway. Our protection against this instead
+relies in the privilege separation described above: all that the
+`amnesia` user can do is run the frontend with no arguments.
# Research
## Secure upgrade
diff --git a/wiki/src/contribute/design/installation.mdwn b/wiki/src/contribute/design/installation.mdwn
index 265cbfe..f6ddf6f 100644
--- a/wiki/src/contribute/design/installation.mdwn
+++ b/wiki/src/contribute/design/installation.mdwn
@@ -12,9 +12,25 @@ available removable storage devices.
-Tails Installer is able to do full upgrades of an already installed
-USB stick. During the needed operations, everything except the Tails system
-partition is left untouched.
+Tails Installer can perform a full upgrade of an already installed
+USB stick. During this process, nothing is modified on the target
+drive but the Tails system partition and the [[!wikipedia Master boot record]].
+At the end of the upgrade process, we upgrade syslinux with the binary
+found in `utils/linux/syslinux` on the Tails system partition.
+Likewise, upgrade the boot device's MBR with the one found in
+`utils/mbr/mbr.bin` on the Tails system partition. This ensures that
+the installed version of syslinux matches the version of the COM32
+modules that are shipped by the version of Tails the target drive was
+just upgraded to.
+Security discussion: with this mechanism in place, anyone who can feed
+an arbitrary ISO into Tails Installer can run arbitrary code (stored
+in the ISO filesystem as `utils/linux/syslinux`) as the user running
+Tails Installer. We have no mechanism to run Tails Installer with
+elevated privileges currently, so this should not be a problem: being
+able to run `liveusb-creator` with arbitrary arguments is equivalent
+to being able to run arbitrary code already.
Mode of operation and booting methods
@@ -40,7 +56,7 @@ Two alternatives booting methods have been investigated:
We have settled on the *copy ISO's content* way, mostly because it is overall
simpler, more robust, and allows
-implementing [[!tails_todo incremental_upgrades]] relatively easily.
+implementing [[contribute/design/incremental_upgrades]] relatively easily.
@@ -56,11 +72,13 @@ The storage device is partitioned using [GPT](
* Partitions can be labeled. The [[design/persistence]] setup tools can
easily detect the right partitions without blind tries.
-The system partition (holding Tails) has a size of 1.5 GB, with the
+The system partition (holding Tails) has a size of 2.5 GB, with the
following estimates:
* Tails ISO: 1GB
- * 3 [[!tails_todo incremental_upgrades desc="incremental upgrade kits"]], 60 MB each: 180MB
+ * 3 [[incremental upgrade kits|contribute/design/incremental upgrade]], 200 MB each: 600MB
+ * free space needed to install an incremental upgrade kit: 2 * 200 MB
+ = 600 MB
The Tails system partition uses a FAT32 filesystem, mainly because it is the
one supported by SYSLINUX we may easily create, in a programmatic manner, from
@@ -124,11 +142,11 @@ We have `.desktop` files for the following usecases:
Why a fork of liveusb-creator?
-After an initial [[!tails_todo usb_install_and_upgrade/archive desc="roundup of existing tools"]],
+After an initial [[roundup of existing tools|blueprint/usb_install_and_upgrade/archive]],
we decided to use Fedora's `liveusb-creator` as a basis, for reasons that are now
obsolete due to more recent design choices. While we did most of our initial
adaptation work on liveusb-creator with future upstreaming of our changes in
mind, it proved to be hard, and future extension seems now out of question.
-Our [[!tails_todo usb_install_and_upgrade desc="future plans"]] include moving to another
+Our [[future plans|blueprint/usb_install_and_upgrade]] include moving to another
piece of software as a basis, and hopefully working more closely with this
future upstream of ours.
diff --git a/wiki/src/contribute/release_process/tails-iuk.mdwn b/wiki/src/contribute/release_process/tails-iuk.mdwn
index e14db5d..79ac5d1 100644
--- a/wiki/src/contribute/release_process/tails-iuk.mdwn
+++ b/wiki/src/contribute/release_process/tails-iuk.mdwn
@@ -23,6 +23,10 @@ Install build-dependencies from Debian:
liblocale-msgfmt-perl libmoosex-has-sugar-perl \
+If running something older than Jessie:
+ apt-get install libtest-bdd-cucumber/wheezy-backports
Install build-dependencies that are not in Debian yet:
DEB_BUILD_OPTIONS=nocheck dh-make-perl --build --install --cpan Dist::Zilla::Plugin::LocaleMsgfmt
@@ -60,12 +64,6 @@ relevant tag of Tails' perl5lib):
# run the tests in closer to real conditions
umask 077
- # Run the pherkin tests
- # for each $FEATURE in features/* :
- LC_ALL=C PERL5LIB=/home/user/tails/perl5lib/lib pherkin $FEATURE
- # ... and manually cleanup mounted filesystems and busy loopback
- # devices left behind between each run of some features, sorry :(
# Run the rest of the test suite
RELEASE_TESTING=1 LC_ALL=C PERL5LIB=/home/user/tails/perl5lib/lib dzil test
@@ -97,9 +95,9 @@ Commit `debian/changelog`:
git commit debian/changelog -m "$(head -n 1 debian/changelog | sed -e 's,).*,),')"
-Build a Debian package (use a Wheezy chroot with the `tails-perl5lib`
-package available), add a signed tag to the repository and push the
+Build a Debian package (use a Wheezy chroot with the right version of
+`tails-perl5lib` installed), add a signed tag to the repository and
+push the changes:
git-buildpackage && \
git-buildpackage --git-tag-only --git-sign-tags && \
diff --git a/wiki/src/contribute/release_process/test.mdwn b/wiki/src/contribute/release_process/test.mdwn
index 893519a..001087c 100644
--- a/wiki/src/contribute/release_process/test.mdwn
+++ b/wiki/src/contribute/release_process/test.mdwn
@@ -470,6 +470,13 @@ correctly.
echo "" | sudo tee --append /etc/hosts
+ * Patch sudo configuration to allow passing arbitrary arguments to
+ `tails-upgrade-frontend`:
+ sudo sed -i \
+ -e 's,/usr/bin/tails-upgrade-frontend ""$,/usr/bin/tails-upgrade-frontend,' \
+ /etc/sudoers.d/zzz_upgrade
* Call the upgrader must be called, from inside the system to upgrade,
with every needed option to use the local web server rather than the
online one, for example: