diff options
8 files changed, 327 insertions, 0 deletions
diff --git a/share/trashman/signal-desktop/info b/share/trashman/signal-desktop/info new file mode 100644 index 0000000..bf2119f --- /dev/null +++ b/share/trashman/signal-desktop/info @@ -0,0 +1 @@ +signal messenger desktop client diff --git a/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg b/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg Binary files differnew file mode 100644 index 0000000..b5e68a0 --- /dev/null +++ b/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg diff --git a/share/trashman/signal-desktop/unix/linux/debian/install b/share/trashman/signal-desktop/unix/linux/debian/install new file mode 100755 index 0000000..aa291f6 --- /dev/null +++ b/share/trashman/signal-desktop/unix/linux/debian/install @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# +# Installs Signal Desktop. +# + +# Parameters +SHARE="$1" + +# Include basic functions +. $SHARE/trashman/functions || exit 1 +. $SHARE/trashman/debian || exit 1 + +# Install requirements +trashman_apt_install curl apt-transport-https + +# Setup Signal repository +#curl -s https://updates.signal.org/desktop/apt/keys.asc | apt-key add - +cp $SHARE/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg /etc/apt/trusted.gpg.d/ +echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | tee /etc/apt/sources.list.d/signal-xenial.list > /dev/null + +# Install Signal +trashman_apt_install signal-desktop + +# The SUID sandbox helper binary was found, but is not configured correctly. +# Rather than run without sandboxing I'm aborting now. +# You need to make sure that /opt/Signal/chrome-sandbox is owned by root and has mode 4755. +chmod 4755 /opt/Signal/chrome-sandbox diff --git a/share/trashman/tor-transproxy/info b/share/trashman/tor-transproxy/info new file mode 100644 index 0000000..c56d1f7 --- /dev/null +++ b/share/trashman/tor-transproxy/info @@ -0,0 +1 @@ +Tor transparent proxy diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables new file mode 100755 index 0000000..68e4501 --- /dev/null +++ b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html +# See also: +# +# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy +#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router +#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor +#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/ +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc +#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver +#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor + +# Parameters +IPTABLES=/sbin/iptables +TOR_UID=`id -u debian-tor` +NETWORK_USER_ID=1000 + +# Clear existing rules +$IPTABLES -F INPUT || exit +$IPTABLES -F OUTPUT || exit +$IPTABLES -t nat -F || exit + +# Transproxy rules for Tor +$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit +$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit + +# Allow Tor, _apt, root and the network user +$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit +$IPTABLES -A OUTPUT -j DROP || exit + +# Allow SSH +$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit + +# Create INPUT firewall. Allow established connections and transproxy +$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit +$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo +$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit +$IPTABLES -A INPUT -j DROP || exit + +# Avoid packet leaks +# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP +#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid +iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit +iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit +iptables -A OUTPUT -m state --state INVALID -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc new file mode 100644 index 0000000..2b7369f --- /dev/null +++ b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc @@ -0,0 +1,183 @@ +## Configuration file for a typical Tor user +## Last updated 22 December 2007 for Tor 0.2.0.14-alpha. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See the man page, or https://www.torproject.org/tor-manual-dev.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc + + +## Default SocksPort +SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort +## SocksPort for Tails-specific applications +SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort +## SocksPort for the default web browser +SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort 9052 +ControlListenAddress 127.0.0.1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## A unique handle for your server. +#Nickname ididnteditheconfig + +## The IP or FQDN for your server. Leave commented out and Tor will guess. +#Address noname.example.com + +## Define these to limit the bandwidth usage of relayed (server) +## traffic. Your own traffic is still unthrottled. +## Note that RelayBandwidthRate must be at least 20 KB. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps) + +## Contact info to be published in the directory, so we can contact you +## if your server is misconfigured or something else goes wrong. +#ContactInfo Random Person <nobody AT example dot com> +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com> + +## Required: what port to advertise for Tor connections. +#ORPort 9001 +## If you need to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you need to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 + +## Uncomment this if you run more than one Tor server, and add the +## nickname of each Tor server you control, even if they're on different +## networks. You declare it here so Tor clients can avoid using more than +## one of your servers in a single circuit. See +## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily nickname1,nickname2,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## available in the man page or at https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +################ This section is just for bridge relays ############## +# +## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Unlike running an exit relay, +## running a bridge relay just passes data to and from the Tor network -- +## so it shouldn't expose the operator to abuse complaints. + +#ORPort 443 +#BridgeRelay 1 +#RelayBandwidthRate 50KBytes +#ExitPolicy reject *:* + + +################ Local settings ######################################## + +## Torified DNS +DNSPort 5353 +AutomapHostsOnResolve 1 +AutomapHostsSuffixes .exit,.onion + +## Transparent proxy +TransPort 9040 +TransListenAddress 127.0.0.1 + +## Misc +AvoidDiskWrites 1 + +## We don't care if applications do their own DNS lookups since our Tor +## enforcement will handle it safely. +WarnUnsafeSocks 0 + +## Disable default warnings on StartTLS for email. Let's not train our +## users to click through security warnings. +WarnPlaintextPorts 23,109 + +## Tor 0.3.x logs to syslog by default, which we redirect to the Journal; +## but we have some code that reads Tor's logs and only supports plaintext +## log files at the moment, so let's keep logging to a file. +Log notice file /var/log/tor/log + +# WARNING: Hashed empty password, useful for a box with only a single user running Tor Browser +# using the system-installed tor daemon and with sane firewall rules set. +HashedControlPassword 16:756491A440833A1B609F2CCC095BFD2769A1634B4BEC4214BAA9E20629 diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js b/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js new file mode 100644 index 0000000..f8d9c0d --- /dev/null +++ b/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js @@ -0,0 +1,20 @@ +// Preferences for system-installed Tor Browser +// Needs either +// +// * Setting TOR_CONTROL_PASSWORD at ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser +// * Passing TOR_CONTROL_PASSWORD to start-tor-browser via the command line +// +// See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ +// +user_pref("network.security.ports.banned", "9050,9052"); +user_pref("network.proxy.socks", "127.0.0.1"); +user_pref("network.proxy.socks_port", 9050); +user_pref("extensions.torbutton.inserted_button", true); +user_pref("extensions.torbutton.launch_warning", false); +user_pref("extensions.torbutton.loglevel", 2); +user_pref("extensions.torbutton.logmethod", 0); +user_pref("extensions.torlauncher.control_port", 9052); +user_pref("extensions.torlauncher.loglevel", 2); +user_pref("extensions.torlauncher.logmethod", 0); +user_pref("extensions.torlauncher.prompt_at_startup",false); +user_pref("extensions.torlauncher.start_tor", false); diff --git a/share/trashman/tor-transproxy/unix/linux/debian/install b/share/trashman/tor-transproxy/unix/linux/debian/install new file mode 100755 index 0000000..7972ac4 --- /dev/null +++ b/share/trashman/tor-transproxy/unix/linux/debian/install @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# +# Tor transparent proxy +# + +# Parameters +SHARE="$1" + +# Include basic functions +. $SHARE/trashman/functions || exit 1 +. $SHARE/trashman/debian || exit 1 + +# Dependencies +trashman_apt_install tor iptables + +# Firewall config +cp $SHARE/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables /etc/network/if-pre-up.d/iptables +/etc/network/if-pre-up.d/iptables + +# DNS config +echo "nameserver 127.0.0.1" | tee /etc/resolv.conf > /dev/null + +# Tor config +cp $SHARE/tor-transproxy/unix/linux/debian/files/etc/tor/torrc /etc/tor/torrc +service tor restart + +# Tor Browser config to use the system-installed tor daemon +# Use this to configure your regular user account +# See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ +#if [ -e "$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser" ]; then +# # Force about:config preferences +# cp $SHARE/tor-transproxy/unix/linux/debian/files/tbb/user.js $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/user.js +# +# # Hard code control port password into the start-tor-browser script +# sed -i -e "s/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"secret\"'/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"\"'}/" \ +# $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser +#fi |