From c7bfed8fc64693556cb0df8b32c56928c4c03e6b Mon Sep 17 00:00:00 2001 From: ro Date: Mon, 27 Sep 2021 17:18:04 -0400 Subject: [PATCH] Include check for pre-4.19 Tails versions in network hook. Attempt to repair auto-updates on those systems --- .../tails-config/files/securedrop_init.py | 72 ++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/tails-config/files/securedrop_init.py b/install_files/ansible-base/roles/tails-config/files/securedrop_init.py index bb930a6837f..bf240456084 100644 --- a/install_files/ansible-base/roles/tails-config/files/securedrop_init.py +++ b/install_files/ansible-base/roles/tails-config/files/securedrop_init.py @@ -7,7 +7,8 @@ import sys import subprocess -from shutil import copyfile +import tempfile +from shutil import copyfile, copyfileobj # check for root @@ -37,6 +38,7 @@ 'install_files/ansible-base/mon-ssh.auth_private') } path_onion_auth_dir = '/var/lib/tor/onion_auth' +path_tails_version = '/etc/amnesia/version' # load torrc_additions if os.path.isfile(path_torrc_additions): @@ -148,3 +150,71 @@ if b'Update needed' in output or os.path.exists(flag_location): # Start the SecureDrop updater GUI. subprocess.Popen(['python3', path_gui_updater], env=env) + +# Check for Tails < 4.19 and apply a fix to the auto-updater. +# See https://tails.boum.org/news/version_4.18/ +# (Suggested removal: 2022/01) +tails_min_version = [4, 19] +needs_update = False + +try: + cmd = 'cat /etc/os-release | grep VERSION | cut -f2 -d\\"' + + # Using shell=True because contents of /etc/os-release are trusted + tails_current_version = subprocess.check_output(cmd, + shell=True, + universal_newlines=True, + env=env).strip().split(".") # nosec + + try: + needs_update = (len(tails_current_version) >= len(tails_min_version) and + (int(tails_current_version[0]) < tails_min_version[0] + or int(tails_current_version[1]) < tails_min_version[1])) + + except (TypeError, ValueError): + sys.exit('Error checking Tails version. Please visit tails.boum.org ' + + 'to ensure your version of Tails is up to date.') + + if needs_update: + cert_name = 'isrg-root-x1-cross-signed.pem' + pem_file = tempfile.NamedTemporaryFile(delete=True) + + try: + pem_download_proc = subprocess.call(['torsocks', + 'curl', + '--silent', + 'https://tails.boum.org/' + cert_name], + stdout=pem_file, env=env) + + # Verify against /etc/ssl/certs/DST_Root_CA_X3.pem, which cross-signs + # the new LetsEncrypt cert but is expiring + verify_proc = subprocess.check_output(['openssl', 'verify', + '-no_check_time', '-no-CApath', + '-CAfile', + '/etc/ssl/certs/DST_Root_CA_X3.pem', + '/tmp/' + cert_name], + universal_newlines=True, env=env) + + if 'OK' in verify_proc: + + # Updating the cert chain requires sudo privileges + os.setresgid(0, 0, -1) + os.setresuid(0, 0, -1) + + with open('/usr/local/etc/ssl/certs/tails.boum.org-CA.pem', 'a') as chain: + pem_file.seek(0) + copyfileobj(pem_file, chain) + chain.close() + + # As amnesia user, start updater GUI + os.setresgid(amnesia_gid, amnesia_gid, -1) + os.setresuid(amnesia_uid, amnesia_uid, -1) + restart_proc = subprocess.call(['systemctl', '--user', 'restart', + 'tails-upgrade-frontend'], env=env) + + finally: + pem_file.close() + +except subprocess.CalledProcessError: + sys.exit('Error checking Tails version. Please visit tails.boum.org ' + + 'to ensure your version of Tails is up to date.')