[Tails-dev] Added support for keeping entry guards

Delete this message

Reply to this message
Author: winterfairy
Date:  
To: tails-dev
Subject: [Tails-dev] Added support for keeping entry guards
The following patches introduce support for persisting /var/lib/tor. The
primary benefit of this is the improved security/anonymity by keeping ones
Tor entry guards. But there is bootstrap and circuit speed benefits too.
Read the commit summaries for reasoning and explanation.

Please review, and tell me if there is something you want to be done
differently.

I tested the following: The entry guards are now persisted and Tor works
as it should, verified using Vidalia's network map and Wireshark. I also
tested mounting the persistent volume in read-only mode, and that also
works as a writeable overlay seems to be mounted over the read-only data.
I also tested bridge mode, and it seems not to break with this enabled,
but of course it is useless in bridge mode and just leaves unnecessary
traces. And finally I also verified that if I give the folder bad
ownership it is corrected as it should (see patch summary for why).

Patches against persistent-setup (master branch):
0001-Add-preset-for-persisting-Tor-entry-guards-and-Tor-c.patch
0002-Update-POT-file-to-include-new-strings.patch

Patches against tails-greeter (master branch):
0001-Fix-ownership-of-var-lib-tor-after-login-before-Tor-.patch
>From 55f6263fc4a9bca88ac8cf9a6af3e6478d1afa2f Mon Sep 17 00:00:00 2001
From: Tails developers <tails@???>
Date: Sat, 25 May 2013 12:56:11 +0000
Subject: [PATCH 1/2] Add preset for persisting Tor entry guards (and Tor cache).

This preset provide important anonymity attack resistance
for those users who do not use bridges and do not worry
about being fingerprinted locally by the ISP or network
admin by which guards is used (like a MAC address).
It is disabled by default since Tails aim at being amnesic
by default.

Important: This depends on that tails-greeter fix the
ownership of the persisted folder, as Tor user's
UID/GID may change between Tails releases.
---
lib/Tails/Persistence/Configuration/Presets.pm | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/lib/Tails/Persistence/Configuration/Presets.pm b/lib/Tails/Persistence/Configuration/Presets.pm
index 43a450f..0723abd 100644
--- a/lib/Tails/Persistence/Configuration/Presets.pm
+++ b/lib/Tails/Persistence/Configuration/Presets.pm
@@ -55,6 +55,16 @@ method _build__presets {
             icon_name   => 'stock_folder',
         },
         {
+            name        => $self->encoding->decode(gettext(q{Tor Entry Guards})),
+            description => $self->encoding->decode(gettext(
+                q{Keep entry guards for better anonymity}
+            )),
+            destination => '/var/lib/tor',
+            options     => [ 'source=tor-state' ],
+            enabled     => 0,
+            icon_name   => 'vidalia',
+        },
+        {
             name        => $self->encoding->decode(gettext(q{GnuPG})),
             description => $self->encoding->decode(gettext(
                 q{GnuPG keyrings and configuration}
-- 
1.7.2.5

>From ac35130e78359520e72b62f2ff47194185c915db Mon Sep 17 00:00:00 2001
From: Tails developers <tails@???>
Date: Sat, 25 May 2013 20:05:59 +0000
Subject: [PATCH] Fix ownership of /var/lib/tor after login before Tor is started.

This is needed in case this folder is persistent, as the
numeric ids for "debian-tor" may change between Tails versions.
A "find" trick is used instead of "chown -R" so we avoid
some disk writes when the permissions already is right.
---
PostLogin.default | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/PostLogin.default b/PostLogin.default
index aa8f87f..f7a5eba 100755
--- a/PostLogin.default
+++ b/PostLogin.default
@@ -61,10 +61,6 @@ if [ -z "${LIVE_USERNAME}" ] ; then
     log_n_exit "Username variable not found."
 fi


-
-### (re-)start services that need to wait for post-login time
-service network-manager restart
-
### Camouflage

 CAMOUFLAGE_SETTINGS="/var/lib/gdm3/tails.camouflage"
@@ -110,6 +106,15 @@ else
    log_n_exit "'/usr/local/sbin/tails-additional-software' does not exist or is not executable."
 fi


+# Ensure the files in /var/lib/tor have correct ownership.
+# The Tor user's UID and GID may change between Tails versions,
+# and this directory may be persistent.
+# Important: Do this before running network-manager hooks.
+find /var/lib/tor ! -user debian-tor -o ! -group debian-tor | xargs chown debian-tor:debian-tor
+
+### (re-)start services that need to wait for post-login time
+service network-manager restart
+
### Password

# Import password for superuser access
--
1.7.2.5
>From b423adae07ae03d272850f017daa6600fd01b8d5 Mon Sep 17 00:00:00 2001
From: Tails developers <tails@???>
Date: Tue, 28 May 2013 18:21:29 +0000
Subject: [PATCH 2/2] Update POT file to include new strings

---
po/tails-persistence-setup.pot | 112 +++++++++++++++++++--------------------
1 files changed, 55 insertions(+), 57 deletions(-)

diff --git a/po/tails-persistence-setup.pot b/po/tails-persistence-setup.pot
index 4908469..27fdbc1 100644
--- a/po/tails-persistence-setup.pot
+++ b/po/tails-persistence-setup.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: Tails developers <tails@???>\n"
-"POT-Creation-Date: 2012-11-27 21:00+0100\n"
+"POT-Creation-Date: 2013-05-28 18:20+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@???>\n"
@@ -26,161 +26,169 @@ msgid "Keep files stored in the `Persistent' directory"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:58
-msgid "GnuPG"
+msgid "Tor Entry Guards"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:60
-msgid "GnuPG keyrings and configuration"
+msgid "Keep entry guards for better anonymity"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:68
-msgid "SSH Client"
+msgid "GnuPG"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:70
-msgid "SSH keys, configuration and known hosts"
+msgid "GnuPG keyrings and configuration"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:78
-msgid "Pidgin"
+msgid "SSH Client"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:80
-msgid "Pidgin profiles and OTR keyring"
+msgid "SSH keys, configuration and known hosts"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:88
-msgid "Claws Mail"
+msgid "Pidgin"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:90
-msgid "Claws Mail profiles and locally stored email"
+msgid "Pidgin profiles and OTR keyring"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:98
-msgid "GNOME Keyring"
+msgid "Claws Mail"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:100
-msgid "Secrets stored by GNOME Keyring"
+msgid "Claws Mail profiles and locally stored email"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:108
-msgid "Network Connections"
+msgid "GNOME Keyring"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:110
-msgid "Configuration of network devices and connections"
+msgid "Secrets stored by GNOME Keyring"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:118
-msgid "Browser bookmarks"
+msgid "Network Connections"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:120
-msgid "Bookmarks saved in Iceweasel browser"
+msgid "Configuration of network devices and connections"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:128
-msgid "APT Packages"
+msgid "Browser bookmarks"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:130
-msgid "Packages downloaded by APT"
+msgid "Bookmarks saved in Iceweasel browser"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:138
-msgid "APT Lists"
+msgid "APT Packages"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:140
-msgid "Lists downloaded by APT"
+msgid "Packages downloaded by APT"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:148
-msgid "Dotfiles"
+msgid "APT Lists"
msgstr ""

#: ../lib/Tails/Persistence/Configuration/Presets.pm:150
+msgid "Lists downloaded by APT"
+msgstr ""
+
+#: ../lib/Tails/Persistence/Configuration/Presets.pm:158
+msgid "Dotfiles"
+msgstr ""
+
+#: ../lib/Tails/Persistence/Configuration/Presets.pm:160
msgid ""
"Symlink into $HOME every file or directory found in the `dotfiles' directory"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:259
+#: ../lib/Tails/Persistence/Setup.pm:258
msgid ""
"The device Tails is running from cannot be found. Maybe you used the `toram' "
"option?"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:284
+#: ../lib/Tails/Persistence/Setup.pm:283
msgid "'Unparseable partition path.'"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:298
+#: ../lib/Tails/Persistence/Setup.pm:291
msgid "Setup Tails persistent volume"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:442
+#: ../lib/Tails/Persistence/Setup.pm:435
#, perl-format
msgid "Device %s already has a persistent volume."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:450
+#: ../lib/Tails/Persistence/Setup.pm:443
#, perl-format
msgid "Device %s has not enough unallocated space."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:458 ../lib/Tails/Persistence/Setup.pm:472
+#: ../lib/Tails/Persistence/Setup.pm:451 ../lib/Tails/Persistence/Setup.pm:465
#, perl-format
msgid "Device %s has no persistent volume."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:464
+#: ../lib/Tails/Persistence/Setup.pm:457
msgid ""
"Cannot delete the persistent volume while in use. You should restart Tails "
"without persistence."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:483
+#: ../lib/Tails/Persistence/Setup.pm:476
msgid "Persistence volume is not unlocked."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:488
+#: ../lib/Tails/Persistence/Setup.pm:481
msgid "Persistence volume is not mounted."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:493
+#: ../lib/Tails/Persistence/Setup.pm:486
msgid "Persistence volume is not readable. Permissions or ownership problems?"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:498
+#: ../lib/Tails/Persistence/Setup.pm:491
msgid "Persistence volume is not writable. Maybe it was mounted read-only?"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:507
+#: ../lib/Tails/Persistence/Setup.pm:500
#, perl-format
msgid "Tails is running from non-USB device %s."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:513
+#: ../lib/Tails/Persistence/Setup.pm:506
#, perl-format
msgid "Device %s is optical."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:520
+#: ../lib/Tails/Persistence/Setup.pm:513
#, perl-format
msgid "Device %s was not created using Tails USB installer."
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:554
+#: ../lib/Tails/Persistence/Setup.pm:547
msgid "Error"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:861
+#: ../lib/Tails/Persistence/Setup.pm:854
msgid "Persistence wizard - Finished"
msgstr ""

-#: ../lib/Tails/Persistence/Setup.pm:864
+#: ../lib/Tails/Persistence/Setup.pm:857
msgid ""
"Any changes you have made will only take effect after restarting Tails.\n"
"\n"
@@ -237,29 +245,19 @@ msgstr ""
msgid "Failed"
msgstr ""

-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:269
-#: ../lib/Tails/Persistence/Step/Delete.pm:84
-msgid "Correcting attributes on Tails system partition."
-msgstr ""
-
-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:272
-#: ../lib/Tails/Persistence/Step/Delete.pm:87
-msgid "The attributes of the Tails system partition will be corrected."
-msgstr ""
-
-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:280
+#: ../lib/Tails/Persistence/Step/Bootstrap.pm:271
msgid "Mounting Tails persistence partition."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:283
+#: ../lib/Tails/Persistence/Step/Bootstrap.pm:274
msgid "The Tails persistence partition will be mounted."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:304
+#: ../lib/Tails/Persistence/Step/Bootstrap.pm:296
msgid "Creating..."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Bootstrap.pm:307
+#: ../lib/Tails/Persistence/Step/Bootstrap.pm:299
msgid "Creating the persistent volume..."
msgstr ""

@@ -299,28 +297,28 @@ msgstr ""
msgid "Saving persistence configuration..."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:41
+#: ../lib/Tails/Persistence/Step/Delete.pm:40
msgid "Persistence wizard - Persistent volume deletion"
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:44
+#: ../lib/Tails/Persistence/Step/Delete.pm:43
msgid "Your persistent data will be deleted."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:48
+#: ../lib/Tails/Persistence/Step/Delete.pm:47
#, perl-format
msgid ""
"The persistent volume %s (%s), on the <b>%s %s</b> device, will be deleted."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:54
+#: ../lib/Tails/Persistence/Step/Delete.pm:53
msgid "Delete"
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:99
+#: ../lib/Tails/Persistence/Step/Delete.pm:91
msgid "Deleting..."
msgstr ""

-#: ../lib/Tails/Persistence/Step/Delete.pm:102
+#: ../lib/Tails/Persistence/Step/Delete.pm:94
msgid "Deleting the persistent volume..."
msgstr ""
--
1.7.2.5