summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/lib
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2018-06-06 15:29:34 +0000
committerintrigeri <intrigeri@boum.org>2018-06-06 15:30:39 +0000
commitf92d53d55e1f255756c6619b698674e1e821f141 (patch)
tree144d4d18fef2497cf2acf27f8e006c59896e2718 /config/chroot_local-includes/lib
parent81749e2b648f6aa0b03f897dcad4c935d035a283 (diff)
Ensure the amnesia user can cross the /media/tails-persistence-setup/ directory boundary (refs: #15566)
… by creating that directory via a live-config hook, with appropriate ownership and permissions. A newly created persistent volume is mounted on /media/tails-persistence-setup/TailsData by t-p-s (via udisks2). At the end of the (new) persistent volume configuration process, we display a "gear" icon that when clicked, starts tails-additional-software-config as the amnesia user. tails-additional-software-config needs to read /media/tails-persistence-setup/TailsData/live-additional-software.conf (otherwise tails-additional-software-config pretends no ASP is configured yet). Without these custom, relaxed permissions, that would be impossible: by default, /media/tails-persistence-setup is created (presumably by udisks2) with permissions 0700 and owned by tails-persistence-setup:root. This change is safe because: 1. /media/tails-persistence-setup/TailsData is the only thing that ever gets created under /media/tails-persistence-setup; 2. TailsData, i.e. the root of the persistent filesystem, is world-readable so under normal circumstances, when Tails was started with the persistent volume unlocked, the amnesia user would be allowed to access it anyway. Still, this change does not seem to be enough to fix the UX problem we're after here. For some reason tails-additional-software-config still pretends that no ASP is configured yet, even though it does seem to have all the permissions it needs to list them: see https://labs.riseup.net/code/issues/15566#note-7 for details.
Diffstat (limited to 'config/chroot_local-includes/lib')
-rwxr-xr-xconfig/chroot_local-includes/lib/live/config/3000-tps-media-directory19
1 files changed, 19 insertions, 0 deletions
diff --git a/config/chroot_local-includes/lib/live/config/3000-tps-media-directory b/config/chroot_local-includes/lib/live/config/3000-tps-media-directory
new file mode 100755
index 0000000..8957a79
--- /dev/null
+++ b/config/chroot_local-includes/lib/live/config/3000-tps-media-directory
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# We need laxer permissions than the default (tails-persistence-setup:root,
+# 0700) here so that a newly created persistent volume is accessible
+# to the amnesia user, that runs the tails-additional-software-config
+# GUI app which needs to read
+# /media/tails-persistence-setup/TailsData/live-additional-software.conf.
+
+Create_tps_media_directory ()
+{
+ echo "- creating tails-persistence-setup's directory under /media"
+ install -o tails-persistence-setup -g amnesia \
+ -m 0710 -d /media/tails-persistence-setup
+
+ # Creating state file
+ touch /var/lib/live/config/tps-media-directory
+}
+
+Create_tps_media_directory