summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/usr/local/sbin/live-persist
diff options
context:
space:
mode:
Diffstat (limited to 'config/chroot_local-includes/usr/local/sbin/live-persist')
-rwxr-xr-xconfig/chroot_local-includes/usr/local/sbin/live-persist48
1 files changed, 39 insertions, 9 deletions
diff --git a/config/chroot_local-includes/usr/local/sbin/live-persist b/config/chroot_local-includes/usr/local/sbin/live-persist
index fe1eb93..8bdba4f 100755
--- a/config/chroot_local-includes/usr/local/sbin/live-persist
+++ b/config/chroot_local-includes/usr/local/sbin/live-persist
@@ -226,9 +226,9 @@ other::r-x"
persistence_conf_file_has_correct_access_rights ()
{
local conf="$1"
+ local expected_perms="$2"
local expected_user=tails-persistence-setup
local expected_group=tails-persistence-setup
- local expected_perms=600
local expected_acl=""
if [ $(stat -c %U "$conf") != "$expected_user" ]
@@ -258,18 +258,25 @@ persistence_conf_file_has_correct_access_rights ()
disable_and_create_empty_persistence_conf_file ()
{
local conf="$1"
+ local mode="$2"
+
+ if [ -z "$mode" ]
+ then
+ mode=0600
+ fi
mv "$conf" "${conf}.insecure_disabled" \
|| error "Failed to disable '$conf': $?"
- create_empty_persistence_conf_file "$conf"
+ create_empty_persistence_conf_file "$conf" "$mode"
}
create_empty_persistence_conf_file ()
{
local conf="$1"
+ local mode="$2"
install --owner tails-persistence-setup \
- --group tails-persistence-setup --mode 0600 \
+ --group tails-persistence-setup --mode "$mode" \
/dev/null "$conf" \
|| error "Failed to create empty '$conf': $?"
}
@@ -341,7 +348,7 @@ activate_volumes ()
do
if test ! -f "$mountpoint/live-additional-software.conf"
then
- create_empty_persistence_conf_file "$mountpoint/live-additional-software.conf"
+ create_empty_persistence_conf_file "$mountpoint/live-additional-software.conf" "0644"
fi
done
@@ -349,25 +356,40 @@ activate_volumes ()
# has wrong access rights.
if [ "$ACCESS_RIGHTS_ARE_CORRECT" != true ]
then
- for f in $(ls /live/persistence/*_unlocked/persistence.conf \
- /live/persistence/*_unlocked/live-additional-software.conf || true)
+ for f in $(ls /live/persistence/*_unlocked/persistence.conf || true)
do
warning "Disabling '$f': persistent volume has unsafe access rights"
disable_and_create_empty_persistence_conf_file "$f"
done
+ for f in $(ls /live/persistence/*_unlocked/live-additional-software.conf || true)
+ do
+ warning "Disabling '$f': persistent volume has unsafe access rights"
+ disable_and_create_empty_persistence_conf_file "$f" "644"
+ done
fi
# Regardless of the mountpoint access rights, disable persistence
# configuration files with wrong access rights.
- for f in $(ls /live/persistence/*_unlocked/persistence.conf \
- /live/persistence/*_unlocked/live-additional-software.conf || true)
+ for f in $(ls /live/persistence/*_unlocked/persistence.conf || true)
do
- if ! persistence_conf_file_has_correct_access_rights "$f"
+ if ! persistence_conf_file_has_correct_access_rights "$f" "600"
then
warning "Disabling '$f', that has unsafe access rights"
disable_and_create_empty_persistence_conf_file "$f"
fi
done
+ for f in $(ls /live/persistence/*_unlocked/live-additional-software.conf || true)
+ do
+ if persistence_conf_file_has_correct_access_rights "$f" "600"
+ then
+ chmod 0644 "$f"
+ fi
+ if ! persistence_conf_file_has_correct_access_rights "$f" "644"
+ then
+ warning "Disabling '$f', that has unsafe access rights"
+ disable_and_create_empty_persistence_conf_file "$f" "644"
+ fi
+ done
# Fix permissions on persistent directories that were created
# with unsafe permissions.
@@ -437,6 +459,14 @@ activate_volumes ()
fi
fi
+ # Get rid of any Enigmail configuredVersion that we previously used
+ # to set in a way that would persistently override the value maintained
+ # by Enigmail itself (#12680, #15693). We stopped writing this pref
+ # there a long time ago but recently instructed users to reintroduce
+ # this problem as a workaround (#15692).
+ tb_profile="$(dirname "${conf}")/thunderbird/profile.default"
+ rm -f "${tb_profile}/preferences/0000tails.js"
+
for vol in ${open_volumes}
do
if grep -qe "^${vol}\>" /proc/mounts