#!/bin/bash set -e . /usr/share/debconf/confmodule # This is taken from the package libnss-mdns and edited to do the same thing # but for GNS insteand of mdns. try to insert gns entries to the "hosts" line # in /etc/nsswitch.conf to automatically enable nss-gns support; do not change # the configuration if the "hosts" line already references some gns lookups insert_gns() { echo -n "Checking NSS setup..." # abort if /etc/nsswitch.conf does not exist if ! [ -e /etc/nsswitch.conf ]; then echo "Could not find /etc/nsswitch.conf." return 1 fi perl -i -pe ' sub insert { # this also splits on tab my @bits=split(" ", shift); # do not break configuration if the "hosts" line already references gns if (grep { $_ eq "gns"} @bits) { return join " ", @bits; } # change "dns" or "resolve", whichever comes first, into # "gns [NOTFOUND=return] dns" foreach my $bit (@bits) { if ($bit eq "dns") { $bit = "gns [NOTFOUND=return] $bit"; last; } } return join " ", @bits; } s/^(hosts:\s+)(.*)/$1.insert($2)/e; ' /etc/nsswitch.conf echo " done." } case "${1}" in configure) db_version 2.0 db_get gnunet-systempeer/username _USERNAME="${RET:-gnunet}" db_get gnunet-systempeer/groupname _GROUPNAME="${RET:-gnunet}" db_get gnunet-systempeer/autostart _AUTOSTART="${RET}" # boolean db_get gnunet-dns/libnsswitch _LIBNSSWITCH="${RET}" # boolean db_get gnunet-user/proxy _PROXY="${RET}" # boolean db_stop CONFIG_FILE="/etc/default/gnunet" # Read default values GNUNET_HOME="/var/lib/gnunet" eval $(grep GNUNET_HOME /etc/gnunet.conf | tr -d '[:blank:]') # Creating gnunet group if needed if ! getent group ${_GROUPNAME} > /dev/null then echo -n "Creating new GNUnet group ${_GROUPNAME}:" addgroup --quiet --system ${_GROUPNAME} echo " done." fi # Creating gnunet user if needed if ! getent passwd ${_USERNAME} > /dev/null then echo -n "Creating new GNUnet user ${_USERNAME}:" adduser --quiet --system --ingroup ${_GROUPNAME} --home ${GNUNET_HOME} ${_USERNAME} echo " done." fi # Add a special secured group GNUNETDNS_GROUP="gnunetdns" # Creating gnunetdns group if needed if ! getent group ${GNUNETDNS_GROUP} > /dev/null then echo -n "Creating new secured GNUnet group ${GNUNETDNS_GROUP}:" addgroup --quiet --system ${GNUNETDNS_GROUP} echo " done." fi # Copy the libnss_gns files to the libnss directory if ${_LIBNSSWITCH} then echo "Editing /etc/nsswitch.conf to use GNS before DNS" # $2 equals the currently installed version if it exists if [ -z "$2" ]; then # first install: setup the recommended configuration (unless # nsswitch.conf already contains mdns entries) insert_gns if [ "$?" -gt 0 ]; then echo "nsswitch does not exist on this system" fi fi echo " done." fi # Install GNUnet configuration for all users provided non exists userlist=$(awk -F ':' '$3>=1000 && $3<2000 {print $1}' /etc/passwd) users=($userlist) homedirlist=$(awk -F ':' '$3>=1000 && $3<2000 {print $6}' /etc/passwd) homedirs=($homedirlist) for (( i=0; i<${#users[@]}; i++ )); do usermod -aG gnunet ${users[$i]} if [ -n "$i" ] && [ -d "${homedirs[$i]}" ]; then mkdir -p ${homedirs[$i]}/.config/systemd/user/ cat > "${homedirs[$i]}/.config/systemd/user/gnunet-user.service" << EOF # Copyright (C) 2019 GNUnet e.V. # # Copying and distribution of this file, with or without modification, # are permitted in any medium without royalty provided the copyright # notice and this notice are preserved. This file is offered as-is, # without any warranty. [Unit] Description=Service that runs a GNUnet for the user gnunet After=network.target [Service] Type=forking ExecStart=/usr/bin/gnunet-arm -s -c ${homedirs[$i]}/.config/gnunet.conf ExecStop=/usr/bin/gnunet-arm -e -c ${homedirs[$i]}/.config/gnunet.conf [Install] WantedBy=multi-user.target EOF chown "${users[$i]}":"${users[$i]}" "${homedirs[$i]}/.config/systemd/user/gnunet-user.service" if [ ! -f "${homedirs[$i]}/.config/gnunet.conf" ]; then mkdir -p ${homedirs[$i]}/.config/ cp /etc/skel/.config/gnunet.conf "${homedirs[$i]}/.config/gnunet.conf" chmod 644 "${homedirs[$i]}/.config/gnunet.conf" fi fi port=$((8000+$(id -u "${users[$i]}"))) gnunet-config -c "${homedirs[$i]}/.config/gnunet.conf" \ --section=gns-proxy \ --option=IMMEDIATE_START \ --value=YES gnunet-config -c "${homedirs[$i]}/.config/gnunet.conf" \ --section=gns-proxy \ --option=OPTIONS \ --value="-p $port" chown "${users[$i]}":"${users[$i]}" "${homedirs[$i]}/.config/gnunet.conf" done # Change the proxy settings for Firefox and Chromium if desired if ${_PROXY} then mkdir -p /etc/X11/xinit/xinitrc.d/ cat > "/etc/X11/xinit/xinitrc.d/80-gnunet-user-services" << "EOF" #!/bin/bash systemctl --user daemon-reload systemctl --user start gnunet-user systemctl --user enable gnunet-user user=$(whoami) gnunet_proxy=$(gnunet-config -c /etc/skel/.config/gnunet.conf -s gns-proxy | grep 'IMMEDIATE_START = YES') # Enable GNS proxy for new users informed by /etc/skel. if [ "$gnunet_proxy" ]; then # Calculate user specific port port=$((8000+$(id -u $user))) gnunet-config -c $HOME/.config/gnunet.conf \ --section=gns-proxy \ --option=OPTIONS \ --value="-p $port" # Firefox defaultprofile=$(ls $HOME/.mozilla/firefox/*.default) if [ ! "$defaultprofile" ];then timeout 3s firefox --headless # dirty: create profile if not existent fi for ffprofile in $HOME/.mozilla/firefox/*.*/; do js=$ffprofile/user.js if [ -f "$js" ]; then sed -i '/Preferences for using the GNU Name System/d' "$js" sed -i '/network.proxy.socks/d' "$js" sed -i '/network.proxy.socks_port/d' "$js" sed -i '/network.proxy.socks_remote_dns/d' "$js" sed -i '/network.proxy.type/d' "$js" fi echo "// Preferences for using the GNU Name System" >> "$js" echo "user_pref(\"network.proxy.socks\", \"localhost\");" >> "$js" echo "user_pref(\"network.proxy.socks_port\", $port);" >> "$js" echo "user_pref(\"network.proxy.socks_remote_dns\", true);" >> "$js" echo "user_pref(\"network.proxy.type\", 1);" >> "$js" done # Chromium profile="$HOME/.profile" if [ -f "$profile" ]; then sed -i '/CHROMIUM_USER_FLAGS/d' "$profile" fi echo "export CHROMIUM_USER_FLAGS=--proxy-server=socks5://localhost:$port" \ >> "$profile" fi # Create/Renew GNS certificate authority (CA) per user. gnunet-gns-proxy-setup-ca EOF fi # Update files and directories permissions. # Assuming default values, this *should* not be changed. echo -n "Updating files and directories permissions:" chown -R ${_USERNAME}:${_GROUPNAME} /var/log/gnunetd chown -R ${_USERNAME}:${_GROUPNAME} ${GNUNET_HOME} # Secure access to the data directory chmod 0700 "${GNUNET_HOME}" || true # Restrict access on setuid binaries for file in /usr/bin/gnunet-helper-exit \ /usr/bin/gnunet-helper-nat-client \ /usr/bin/gnunet-helper-nat-server \ /usr/bin/gnunet-helper-transport-bluetooth \ /usr/bin/gnunet-helper-transport-wlan \ /usr/bin/gnunet-helper-vpn do # only do something when no setting exists if ! dpkg-statoverride --list $file >/dev/null 2>&1 && [ -e $file ] then chown root:${_GROUPNAME} $file chmod 4750 $file fi done if ! dpkg-statoverride --list /usr/bin/gnunet-helper-dns >/dev/null 2>&1 \ && [ -e /usr/bin/gnunet-helper-dns ] then chown root:${GNUNETDNS_GROUP} /usr/bin/gnunet-helper-dns chmod 4750 /usr/bin/gnunet-helper-dns fi if ! dpkg-statoverride --list /usr/bin/gnunet-service-dns >/dev/null 2>&1 \ && [ -e /usr/bin/gnunet-service-dns ] then chown ${_USERNAME}:${GNUNETDNS_GROUP} /usr/bin/gnunet-service-dns chmod 2750 /usr/bin/gnunet-service-dns fi echo " done." # Writing new values to configuration file echo -n "Writing new configuration file:" CONFIG_NEW=$(tempfile) cat > "${CONFIG_NEW}" < "/etc/systemd/system/gnunet.service" <&2 exit 1 ;; esac #DEBHELPER# exit 0