The following patches introduce support for persisting /var/lib/tor. The primary benefit of this is the improved security/anonymity by keeping ones Tor entry guards. But there is bootstrap and circuit speed benefits too. Read the commit summaries for reasoning and explanation.
Please review, and tell me if there is something you want to be done differently. I tested the following: The entry guards are now persisted and Tor works as it should, verified using Vidalia's network map and Wireshark. I also tested mounting the persistent volume in read-only mode, and that also works as a writeable overlay seems to be mounted over the read-only data. I also tested bridge mode, and it seems not to break with this enabled, but of course it is useless in bridge mode and just leaves unnecessary traces. And finally I also verified that if I give the folder bad ownership it is corrected as it should (see patch summary for why). Patches against persistent-setup (master branch): 0001-Add-preset-for-persisting-Tor-entry-guards-and-Tor-c.patch 0002-Update-POT-file-to-include-new-strings.patch Patches against tails-greeter (master branch): 0001-Fix-ownership-of-var-lib-tor-after-login-before-Tor-.patch
>From 55f6263fc4a9bca88ac8cf9a6af3e6478d1afa2f Mon Sep 17 00:00:00 2001 From: Tails developers <ta...@boum.org> Date: Sat, 25 May 2013 12:56:11 +0000 Subject: [PATCH 1/2] Add preset for persisting Tor entry guards (and Tor cache). This preset provide important anonymity attack resistance for those users who do not use bridges and do not worry about being fingerprinted locally by the ISP or network admin by which guards is used (like a MAC address). It is disabled by default since Tails aim at being amnesic by default. Important: This depends on that tails-greeter fix the ownership of the persisted folder, as Tor user's UID/GID may change between Tails releases. --- lib/Tails/Persistence/Configuration/Presets.pm | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/lib/Tails/Persistence/Configuration/Presets.pm b/lib/Tails/Persistence/Configuration/Presets.pm index 43a450f..0723abd 100644 --- a/lib/Tails/Persistence/Configuration/Presets.pm +++ b/lib/Tails/Persistence/Configuration/Presets.pm @@ -55,6 +55,16 @@ method _build__presets { icon_name => 'stock_folder', }, { + name => $self->encoding->decode(gettext(q{Tor Entry Guards})), + description => $self->encoding->decode(gettext( + q{Keep entry guards for better anonymity} + )), + destination => '/var/lib/tor', + options => [ 'source=tor-state' ], + enabled => 0, + icon_name => 'vidalia', + }, + { name => $self->encoding->decode(gettext(q{GnuPG})), description => $self->encoding->decode(gettext( q{GnuPG keyrings and configuration} -- 1.7.2.5
>From ac35130e78359520e72b62f2ff47194185c915db Mon Sep 17 00:00:00 2001 From: Tails developers <ta...@boum.org> Date: Sat, 25 May 2013 20:05:59 +0000 Subject: [PATCH] Fix ownership of /var/lib/tor after login before Tor is started. This is needed in case this folder is persistent, as the numeric ids for "debian-tor" may change between Tails versions. A "find" trick is used instead of "chown -R" so we avoid some disk writes when the permissions already is right. --- PostLogin.default | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/PostLogin.default b/PostLogin.default index aa8f87f..f7a5eba 100755 --- a/PostLogin.default +++ b/PostLogin.default @@ -61,10 +61,6 @@ if [ -z "${LIVE_USERNAME}" ] ; then log_n_exit "Username variable not found." fi - -### (re-)start services that need to wait for post-login time -service network-manager restart - ### Camouflage CAMOUFLAGE_SETTINGS="/var/lib/gdm3/tails.camouflage" @@ -110,6 +106,15 @@ else log_n_exit "'/usr/local/sbin/tails-additional-software' does not exist or is not executable." fi +# Ensure the files in /var/lib/tor have correct ownership. +# The Tor user's UID and GID may change between Tails versions, +# and this directory may be persistent. +# Important: Do this before running network-manager hooks. +find /var/lib/tor ! -user debian-tor -o ! -group debian-tor | xargs chown debian-tor:debian-tor + +### (re-)start services that need to wait for post-login time +service network-manager restart + ### Password # Import password for superuser access -- 1.7.2.5
>From b423adae07ae03d272850f017daa6600fd01b8d5 Mon Sep 17 00:00:00 2001 From: Tails developers <ta...@boum.org> Date: Tue, 28 May 2013 18:21:29 +0000 Subject: [PATCH 2/2] Update POT file to include new strings --- po/tails-persistence-setup.pot | 112 +++++++++++++++++++-------------------- 1 files changed, 55 insertions(+), 57 deletions(-) diff --git a/po/tails-persistence-setup.pot b/po/tails-persistence-setup.pot index 4908469..27fdbc1 100644 --- a/po/tails-persistence-setup.pot +++ b/po/tails-persistence-setup.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: Tails developers <ta...@boum.org>\n" -"POT-Creation-Date: 2012-11-27 21:00+0100\n" +"POT-Creation-Date: 2013-05-28 18:20+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <l...@li.org>\n" @@ -26,161 +26,169 @@ msgid "Keep files stored in the `Persistent' directory" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:58 -msgid "GnuPG" +msgid "Tor Entry Guards" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:60 -msgid "GnuPG keyrings and configuration" +msgid "Keep entry guards for better anonymity" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:68 -msgid "SSH Client" +msgid "GnuPG" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:70 -msgid "SSH keys, configuration and known hosts" +msgid "GnuPG keyrings and configuration" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:78 -msgid "Pidgin" +msgid "SSH Client" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:80 -msgid "Pidgin profiles and OTR keyring" +msgid "SSH keys, configuration and known hosts" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:88 -msgid "Claws Mail" +msgid "Pidgin" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:90 -msgid "Claws Mail profiles and locally stored email" +msgid "Pidgin profiles and OTR keyring" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:98 -msgid "GNOME Keyring" +msgid "Claws Mail" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:100 -msgid "Secrets stored by GNOME Keyring" +msgid "Claws Mail profiles and locally stored email" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:108 -msgid "Network Connections" +msgid "GNOME Keyring" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:110 -msgid "Configuration of network devices and connections" +msgid "Secrets stored by GNOME Keyring" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:118 -msgid "Browser bookmarks" +msgid "Network Connections" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:120 -msgid "Bookmarks saved in Iceweasel browser" +msgid "Configuration of network devices and connections" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:128 -msgid "APT Packages" +msgid "Browser bookmarks" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:130 -msgid "Packages downloaded by APT" +msgid "Bookmarks saved in Iceweasel browser" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:138 -msgid "APT Lists" +msgid "APT Packages" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:140 -msgid "Lists downloaded by APT" +msgid "Packages downloaded by APT" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:148 -msgid "Dotfiles" +msgid "APT Lists" msgstr "" #: ../lib/Tails/Persistence/Configuration/Presets.pm:150 +msgid "Lists downloaded by APT" +msgstr "" + +#: ../lib/Tails/Persistence/Configuration/Presets.pm:158 +msgid "Dotfiles" +msgstr "" + +#: ../lib/Tails/Persistence/Configuration/Presets.pm:160 msgid "" "Symlink into $HOME every file or directory found in the `dotfiles' directory" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:259 +#: ../lib/Tails/Persistence/Setup.pm:258 msgid "" "The device Tails is running from cannot be found. Maybe you used the `toram' " "option?" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:284 +#: ../lib/Tails/Persistence/Setup.pm:283 msgid "'Unparseable partition path.'" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:298 +#: ../lib/Tails/Persistence/Setup.pm:291 msgid "Setup Tails persistent volume" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:442 +#: ../lib/Tails/Persistence/Setup.pm:435 #, perl-format msgid "Device %s already has a persistent volume." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:450 +#: ../lib/Tails/Persistence/Setup.pm:443 #, perl-format msgid "Device %s has not enough unallocated space." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:458 ../lib/Tails/Persistence/Setup.pm:472 +#: ../lib/Tails/Persistence/Setup.pm:451 ../lib/Tails/Persistence/Setup.pm:465 #, perl-format msgid "Device %s has no persistent volume." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:464 +#: ../lib/Tails/Persistence/Setup.pm:457 msgid "" "Cannot delete the persistent volume while in use. You should restart Tails " "without persistence." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:483 +#: ../lib/Tails/Persistence/Setup.pm:476 msgid "Persistence volume is not unlocked." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:488 +#: ../lib/Tails/Persistence/Setup.pm:481 msgid "Persistence volume is not mounted." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:493 +#: ../lib/Tails/Persistence/Setup.pm:486 msgid "Persistence volume is not readable. Permissions or ownership problems?" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:498 +#: ../lib/Tails/Persistence/Setup.pm:491 msgid "Persistence volume is not writable. Maybe it was mounted read-only?" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:507 +#: ../lib/Tails/Persistence/Setup.pm:500 #, perl-format msgid "Tails is running from non-USB device %s." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:513 +#: ../lib/Tails/Persistence/Setup.pm:506 #, perl-format msgid "Device %s is optical." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:520 +#: ../lib/Tails/Persistence/Setup.pm:513 #, perl-format msgid "Device %s was not created using Tails USB installer." msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:554 +#: ../lib/Tails/Persistence/Setup.pm:547 msgid "Error" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:861 +#: ../lib/Tails/Persistence/Setup.pm:854 msgid "Persistence wizard - Finished" msgstr "" -#: ../lib/Tails/Persistence/Setup.pm:864 +#: ../lib/Tails/Persistence/Setup.pm:857 msgid "" "Any changes you have made will only take effect after restarting Tails.\n" "\n" @@ -237,29 +245,19 @@ msgstr "" msgid "Failed" msgstr "" -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:269 -#: ../lib/Tails/Persistence/Step/Delete.pm:84 -msgid "Correcting attributes on Tails system partition." -msgstr "" - -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:272 -#: ../lib/Tails/Persistence/Step/Delete.pm:87 -msgid "The attributes of the Tails system partition will be corrected." -msgstr "" - -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:280 +#: ../lib/Tails/Persistence/Step/Bootstrap.pm:271 msgid "Mounting Tails persistence partition." msgstr "" -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:283 +#: ../lib/Tails/Persistence/Step/Bootstrap.pm:274 msgid "The Tails persistence partition will be mounted." msgstr "" -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:304 +#: ../lib/Tails/Persistence/Step/Bootstrap.pm:296 msgid "Creating..." msgstr "" -#: ../lib/Tails/Persistence/Step/Bootstrap.pm:307 +#: ../lib/Tails/Persistence/Step/Bootstrap.pm:299 msgid "Creating the persistent volume..." msgstr "" @@ -299,28 +297,28 @@ msgstr "" msgid "Saving persistence configuration..." msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:41 +#: ../lib/Tails/Persistence/Step/Delete.pm:40 msgid "Persistence wizard - Persistent volume deletion" msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:44 +#: ../lib/Tails/Persistence/Step/Delete.pm:43 msgid "Your persistent data will be deleted." msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:48 +#: ../lib/Tails/Persistence/Step/Delete.pm:47 #, perl-format msgid "" "The persistent volume %s (%s), on the <b>%s %s</b> device, will be deleted." msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:54 +#: ../lib/Tails/Persistence/Step/Delete.pm:53 msgid "Delete" msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:99 +#: ../lib/Tails/Persistence/Step/Delete.pm:91 msgid "Deleting..." msgstr "" -#: ../lib/Tails/Persistence/Step/Delete.pm:102 +#: ../lib/Tails/Persistence/Step/Delete.pm:94 msgid "Deleting the persistent volume..." msgstr "" -- 1.7.2.5
_______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev