Skip to content

Commit

Permalink
Include check for pre-4.19 Tails versions in network hook. Attempt to…
Browse files Browse the repository at this point in the history
… repair auto-updates on those systems
  • Loading branch information
rocodes committed Sep 28, 2021
1 parent 1136bab commit 327e9df
Showing 1 changed file with 72 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
import sys
import subprocess

from shutil import copyfile
import tempfile
from shutil import copyfile, copyfileobj


# check for root
Expand Down Expand Up @@ -37,6 +38,7 @@
'install_files/ansible-base/mon-ssh.auth_private')
}
path_onion_auth_dir = '/var/lib/tor/onion_auth'
path_tails_version = '/etc/amnesia/version'

# load torrc_additions
if os.path.isfile(path_torrc_additions):
Expand Down Expand Up @@ -148,3 +150,72 @@
if b'Update needed' in output or os.path.exists(flag_location):
# Start the SecureDrop updater GUI.
subprocess.Popen(['python3', path_gui_updater], env=env)

# Check for Tails < 4.19 and apply a fix to the auto-updater.
# See https://tails.boum.org/news/version_4.18/
# (Suggested removal: 2022/01)
tails_min_version = [4, 19]
needs_update = False
tails_current_version = None

try:
with open('/etc/os-release') as file:
for line in file:
try:
k, v = line.strip().split("=")
if k == "TAILS_VERSION_ID":
tails_current_version = v.strip("\"").split(".")
except ValueError:
continue

except FileNotFoundError:
sys.exit('Error checking Tails version. Please visit https://tails.boum.org ' +
'to ensure your version of Tails is up to date.')

if tails_current_version:
try:
needs_update = (len(tails_current_version) >= len(tails_min_version) and
(int(tails_current_version[0]) < tails_min_version[0]
or int(tails_current_version[1]) < tails_min_version[1]))

except (TypeError, ValueError):
sys.exit(0) # Don't break tailsconfig trying to fix this

if needs_update:
cert_name = 'isrg-root-x1-cross-signed.pem'
pem_file = tempfile.NamedTemporaryFile(delete=True)

try:
subprocess.call(['torsocks', 'curl', '--silent',
'https://tails.boum.org/' + cert_name],
stdout=pem_file, env=env)

# Verify against /etc/ssl/certs/DST_Root_CA_X3.pem, which cross-signs
# the new LetsEncrypt cert but is expiring
verify_proc = subprocess.check_output(['openssl', 'verify',
'-no_check_time', '-no-CApath',
'-CAfile',
'/etc/ssl/certs/DST_Root_CA_X3.pem',
pem_file.name],
universal_newlines=True, env=env)

if 'OK' in verify_proc:

# Updating the cert chain requires sudo privileges
os.setresgid(0, 0, -1)
os.setresuid(0, 0, -1)

with open('/usr/local/etc/ssl/certs/tails.boum.org-CA.pem', 'a') as chain:
pem_file.seek(0)
copyfileobj(pem_file, chain)

# As amnesia user, start updater GUI
os.setresgid(amnesia_gid, amnesia_gid, -1)
os.setresuid(amnesia_uid, amnesia_uid, -1)
restart_proc = subprocess.call(['systemctl', '--user', 'restart',
'tails-upgrade-frontend'], env=env)
except IOError:
sys.exit(0) # Don't break tailsconfig trying to fix this

finally:
pem_file.close()

0 comments on commit 327e9df

Please sign in to comment.