From 8874a4210734d1a785924d509dcb4dd7883a49ec Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Wed, 16 Nov 2016 16:23:52 -0600 Subject: [PATCH] CVE-2016-4484 --- Admin/arch-update | 10 +-- Admin/silent-guardian | 36 ++++++---- ShadowArch/Makefile | 33 ++++----- ShadowArch/shadowarch | 129 ++++++++++++++++++++++++---------- ShadowArch/shadowarch-tar-gen | 3 +- 5 files changed, 132 insertions(+), 79 deletions(-) diff --git a/Admin/arch-update b/Admin/arch-update index 8977f28..e8029a8 100755 --- a/Admin/arch-update +++ b/Admin/arch-update @@ -5,7 +5,8 @@ date > $LOGFILE # Update echo == Updating Arch Packages == >> $LOGFILE -pacman -Syu --noconfirm 2>&1 >> $LOGFILE +# pacman -Syu --noconfirm 2>&1 >> $LOGFILE # I've been having troubles with this causing crashes while online. +checkupdates >> $LOGFILE echo >> $LOGFILE # Get AUR list of update candidates @@ -13,11 +14,6 @@ echo == AUR Candidate List == >> $LOGFILE cower -u >> $LOGFILE echo >> $LOGFILE -# Clean cache -echo == Cleaning Cache == >> $LOGFILE -paccache -r >> $LOGFILE -echo >> $LOGFILE - # Generate list of installed packages echo == Generated installed-packages list == >> $LOGFILE pacman --color never -Qem > /var/log/installed-packages.txt @@ -30,4 +26,4 @@ echo >> $LOGFILE date >> $LOGFILE printf '\n\n' >> $LOGFILE -cat $LOGFILE | mail -s "AniNIX::$(hostname) update log" sh1k0b4@gmail.com +cat $LOGFILE | mail -s "AniNIX::$(hostname) Update Candidates" sh1k0b4@gmail.com diff --git a/Admin/silent-guardian b/Admin/silent-guardian index 56c09b7..d6d1d05 100755 --- a/Admin/silent-guardian +++ b/Admin/silent-guardian @@ -1,5 +1,5 @@ #!/bin/bash - +DEPRIV=depriv if [ ! -f /usr/local/src/SharedLibraries/Bash/header ]; then echo This script requires the SharedLibraries package. exit 1; @@ -7,27 +7,29 @@ fi source /usr/local/src/SharedLibraries/Bash/header export logfile="/var/log/silent-guardian.log" - logstatement "Started $(date)" # Fix the Webserver permissions -chown -R cxford:http /srv/http/* +if [ -f /srv/http ]; then +chown -R $DEPRIV:http /srv/http/* find /srv/http/* -type f -exec chmod 0640 {} \; find /srv/http/* -type d -exec chmod 0750 {} \; +fi; # Fix the media permissions -chown -R cxford:http /srv/yggdrasil -find /srv/yggdrasil/ -type f -exec chmod 0440 {} \; -find /srv/yggdrasil/ -type d -exec chmod 0550 {} \; -chmod -R u+w /srv/yggdrasil/new_acquisition - +if [ -f /usr/lib/systemd/system/yggdrasil.service ]; then + chown -R $DEPRIV:http /srv/yggdrasil + /usr/local/bin/yggdrasil-lock +fi # fix the WolfPack results location -find /srv/WolfPackResults -type d -exec chmod 0755 {} \; -find /srv/WolfPackResults -type f -exec chmod 0644 {} \; +if [ -x /usr/local/bin/wolfpack ]; then + find /srv/wolfpack -type d -exec chmod 0755 {} \; + find /srv/wolfpack -type f -exec chmod 0644 {} \; +fi # Seal the special directories. for i in $(ls -a /srv/yggdrasil/Digital_Library/ | egrep '^\.[a-zA-Z0-9]+$'); do - chown cxford:cxford -R $i; + chown $DEPRIV:$DEPRIV -R $i; find $i -type f -exec chmod 0400 {} \; find $i -type d -exec chmod 0500 {} \; done @@ -39,11 +41,17 @@ find /root -type d -exec chmod 0700 {} \; # Guard home directories chmod 0750 /home/* -chmod 0700 /home/.root-only/ # Guard API's -chmod 0750 /usr/local/bin/api-keys -chown root:api /usr/local/bin/api-keys +if [ -f /usr/local/bin/api-keys ]; then + chmod 0750 /usr/local/bin/api-keys + chown root:api /usr/local/bin/api-keys +fi + +# Guard LDAP +if [ -d /etc/openldap ]; then + chown ldap:ldap /var/lib/openldap/openldap-data/* +fi logstatement "Ended $(date)" logstatement " " diff --git a/ShadowArch/Makefile b/ShadowArch/Makefile index 47ee670..b1372bc 100644 --- a/ShadowArch/Makefile +++ b/ShadowArch/Makefile @@ -1,29 +1,24 @@ -HTTPROOT = "/srv/http/aninix.net" +HTTPROOT = /srv/http/aninix.net HTTPUSER = http -echoroot: - @echo ${HTTPROOT} - @echo ${HTTPUSER} - compile: @echo Nothing to do. -install: script webpresent +install: script webpresent checkperm + cp ./shadowarch-tar-gen /root/bin + /root/bin/shadowarch-tar-gen + cp ./shadowarch ${HTTPROOT} + + +checkperm: + chmod 0700 /root/bin/shadowarch-tar-gen + chown root:root /root/bin/shadowarch-tar-gen + chmod 0755 ${HTTPROOT}/shadowarch + chown ${HTTPUSER} ${HTTPROOT}/shadowarch test: ./shadowarch -h -reverse: +reverse: ${HTTPROOT}/shadowarch /root/bin/shadowarch-tar-gen cp ${HTTPROOT}/shadowarch . - -webpresent: shadowarch - /root/bin/shadowarch-tar-gen - cp ./shadowarch ${HTTPROOT} - chown ${HTTPUSER} ${HTTPROOT}/shadowarch - -script: shadowarch-tar-gen - cp shadowarch-tar-gen /root/bin - chmod 0700 /root/bin/shadowarch-tar-gen - chown root:root /root/bin/shadowarch-tar-gen - - + cp /root/bin/shadowarch-tar-gen . diff --git a/ShadowArch/shadowarch b/ShadowArch/shadowarch index 2f0f519..bed1529 100644 --- a/ShadowArch/shadowarch +++ b/ShadowArch/shadowarch @@ -8,34 +8,42 @@ function header () { return } function help() { - echo Usage: ${0} '[-d /dev/somedisk] [-e] [-g] [-p] [-s]' - echo " ${0}" '-h' - echo '-d Specify disk to install to.' - echo '-e Encrypt the root partition' - echo '-g Add GUI packages' - echo '-h Get help' - echo '-p Add productivity packages' - echo '-s Create a layout for an AniNIX::Spartacus' + echo Usage: ${0} '[OPTIONS]' + echo '\-d DISK -- Use the disk.' + echo '\-e -- Encrypt the root partition' + echo '\-g -- GUI packages and setup' + echo '\-h -- This helptext' + echo '\-k -- Kali Linux-like package additions' + echo '\-p -- Productivity package additions' + echo '\-s -- Create a layout for an AniNIX::Spartacus' + echo '\-m -- Skip disk operations and assume storage is mounted on /mnt' + echo '\-z -- Try to add all the packages on AniNIX::Core' exit 1; } spartacus=0; encrypt=0; gui=0; +kali=0; +kitchensink=0; productivity=0; disk="/dev/sda" +nodiskbuild=0; bootpart=1; rootpart=2; datapart=99; # TODO Add LVM as an argument -while getopts "ed:ghps" OPTION +while getopts "ed:gps" OPTION do case $OPTION in - e) encrypt=1 ;; d) disk=${OPTARG} ;; + e) encrypt=1 ;; g) gui=1 ;; + k) kali=1 ;; p) productivity=1; gui=1 ;; + m) nodiskbuild=1 ;; s) spartacus=1 ;; + z) kitchensink=1 ;; *) help esac done @@ -45,7 +53,9 @@ echo Spartacus set to: $spartacus echo Encryption set to: $encrypt echo GUI: $gui echo Productivity: $productivity -echo Disk to use: $disk +echo Kali tools: $kali +echo All Core packages: $kitchensink +echo Disk to use: $disk \(Skip disk building? $nodiskbuild \) printf "Is this OK? Type YES to continue: " read answer if [ "$answer" != "YES" ]; then @@ -53,9 +63,10 @@ if [ "$answer" != "YES" ]; then exit 1; fi pacman -Syy +if [ "$nodiskbuild" -eq 0 ]; then header Allocating space dd if=/dev/zero of="$disk" bs=1 count=2000000 # "$(fdisk -l "$disk" | head -n 1 | cut -f 5 -d ' ')" -if [ $spartacus -eq 1 ]; then +if [ "$spartacus" -eq 1 ]; then # Insert an ExFAT data partition ahead of the rest. export datapart=1; export bootpart=$((bootpart+1)) @@ -80,7 +91,7 @@ mkfs.ext4 "$disk""$bootpart" tune2fs -L "BOOT" "$disk""$bootpart" header Making root and mountpoints -if [ $encrypt -eq 1 ]; then +if [ "$encrypt" -eq 1 ]; then header Making encrypted root on "$disk""$rootpart" modprobe dm-crypt modprobe serpent_generic @@ -102,7 +113,8 @@ fi mkdir /mnt/boot mount "$disk""$bootpart" /mnt/boot -if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi +if [ "$?" -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi + # Install ArchLinux with basic clients for the AniNIX Services. # * git for Foundation @@ -111,20 +123,31 @@ if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi # * irssi for IRC # * make for source packages # * tor for anonymity -header Installing ArchLinux to root -export pkglist="base base-devel parted net-tools bind-tools git openssh make lynx irssi vim wget tor torsocks grub os-prober" -if [ $gui -eq 1 ]; then - export pkglist="$pkglist"" xorg-server xfce4 seamonkey conky" +header Installing ArchLinux to device\(s\) on /mnt +export pkglist="base base-devel parted net-tools bind-tools git openssh make lynx irssi vim wget tor torsocks grub os-prober rsync openntpd" +if [ "$gui" -eq 1 ]; then + export pkglist="$pkglist"" xorg-server xfce4 seamonkey conky tigervnc" fi -if [ $spartacus -eq 1 ]; then +if [ "$spartacus" -eq 1 ]; then export pkglist="$pkglist"" exfat-utils" fi -if [ $productivity -eq 1 ]; then +if [ "$productivity" -eq 1 ]; then export pkglist="$pkglist"" libreoffice-still gimp feh vlc evince" fi +if [ "$kali" -eq 1 ]; then + export pkglist="$pkglist"" extundelete testdisk nmap tcpdump hexedit dcfldd" + if [ "$gui" -eq 1 ]; then + export pkglist=" wireshark-gtk" + else + export pkglist=" wireshark-cli" + fi +fi +if [ "$kitchensink" -eq 1 ]; then + export pkglist="base base-devel $(wget -q -O - 'https://aninix.net/installed-packages.txt' | cut -f 1 -d ' ' | tr '\n' ' ')" +fi yes "" | pacstrap -i /mnt $pkglist -if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi +if [ $? -ne 0 ]; then header ERROR: Cannot continue -- pacstrap failed; exit 1; fi header Create FSTAB genfstab -U /mnt >> /mnt/etc/fstab @@ -136,21 +159,27 @@ ln -s /usr/share/zoneinfo/America/Chicago /mnt/etc/localtime arch-chroot /mnt hwclock --systohc --utc header Setup bootloader +if [ "$nodiskbuild" -eq 0 ]; then export rootuuid="$(blkid "$disk""$rootpart" | cut -f 2 -d '"')" -if [ $encrypt -eq 1 ]; then +if [ "$encrypt" -eq 1 ]; then export hookstring="$(grep 'HOOKS=' /mnt/etc/mkinitcpio.conf | grep -v '#')" sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cryptdevice=UUID='$rootuuid':cryptroot"#' /mnt/etc/default/grub + sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub # Fix for CVE-2016-4484 fi - +fi + arch-chroot /mnt mkinitcpio -p linux if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi -arch-chroot /mnt grub-install --target=i386-pc "$disk" -if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi +if [ "$nodiskbuild" -eq 0 ]; then + arch-chroot /mnt grub-install --target=i386-pc "$disk" + if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi +fi arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi header Set networking +arch-chroot /mnt systemctl enable openntpd arch-chroot /mnt systemctl enable netctl export interface=$(ip link list | grep "state" | cut -f 2 -d ":" | cut -f 2 -d " " | grep -v lo) cp /mnt/etc/netctl/examples/ethernet-dhcp /mnt/etc/netctl/$interface @@ -161,7 +190,7 @@ arch-chroot /mnt netctl enable $interface # Set prompt and vimrc for ShadowArch header Setting ShadowArch customizations. -echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\]) \[\033[00;36m\]\u \[\033[01;37m\]\d \T \[\033[00;35m\]\w\[\033[00;31m\] ] \n|\[\033[m\]> "' >> /mnt/etc/bash.bashrc +echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\]) \[\033[00;36m\]\u \[\033[01;37m\]\d \t \[\033[00;35m\]\w\[\033[00;31m\] ] \n|\[\033[m\]> "' >> /mnt/etc/bash.bashrc # TODO Find a way to set the terminal header properly #for i in $(grep PROMPT_COMMAND /mnt/etc/bash.bashrc); do # sed -i 's/'"$i"'/PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'"'"'printf "\033]0;AniNIX::%s \134\134 %s in %s\007" "${HOSTNAME%%.*}" "${USER}" "${PWD/#$HOME/\~}"'"'"'/g' /etc/bash.bashrc @@ -169,14 +198,17 @@ echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\]) sed -i '/PS1=/d' /mnt/etc/skel/.bashrc cd /mnt/etc/ wget https://aninix.net/shadowarch.tar -rm -Rf ./skel ./vimrc +rm -Rf ./skel ./vimrc ./bash.bashrc tar xvf /mnt/etc/shadowarch.tar -cd /mnt/root -tar xvf /mnt/etc/shadowarch.tar -rm shadowarch.tar +for i in {a..z}; do + cp /mnt/etc/skel/'.'"$i"* /mnt/root +done +rm /mnt/etc/shadowarch.tar +rmdir /mnt/root/skel +mkdir -p /usr/share/vim/vimfiles/plugin +printf 'set mouse-=a\n' > /usr/share/vim/vimfiles/plugin/shadowarch.vim - -ln -s /etc/skel/.bashrc /mnt/root/.bashrc +ln -sf /etc/skel/.bashrc /mnt/root/.bashrc # Set hostname header Set hostname @@ -184,14 +216,29 @@ printf "What is your hostname? AniNIX::" read hostname echo "$hostname" > /mnt/etc/hostname -# Set password -header Set new root passphrase -arch-chroot /mnt passwd - # Clone ConfigPackags from AniNIX::Foundation arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/ConfigPackages +arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/MiscScripts +arch-chroot /mnt make -C /usr/local/src/MiscScripts/Shared install +arch-chroot /mnt make -C /usr/local/src/MiscScripts/Admin install +arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/cower.git +arch-chroot /mnt useradd -m depriv -if [ $gui -eq 1 ]; then +# Handle AUR Packages + +if [ "$kali" -eq 1 ]; then + arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/autopsy.git +fi + +# Set password +header Set new root passphrase and depriviledged user '(depriv)' password. +arch-chroot /mnt passwd +arch-chroot /mnt passwd depriv +arch-chroot /mnt chown -R depriv:depriv /usr/local/src/ + +cp /root/shadowarch /mnt/root/shadowarch.installer."$(date +%F-%R)" + +if [ "$gui" -eq 1 ]; then echo "Remember to install your graphics drivers! For NVidia, look at xf86-video-nouveau For AMD, look at xf86-video-amdgpu @@ -200,8 +247,14 @@ if [ $gui -eq 1 ]; then For VMware, look at open-vm-tools" fi -header Installed ShadowArch! Press enter to reboot. +header Installed ShadowArch\! +if [ "$nodiskbuild" -eq 1 ]; then + header Remember to run grub-install and set up your bootloader. + echo 'https://wiki.archlinux.org/index.php/Installation_guide#Boot_loader' +else +header Press enter to reboot. read # Reboot shutdown -r now +fi diff --git a/ShadowArch/shadowarch-tar-gen b/ShadowArch/shadowarch-tar-gen index b172e93..7db967b 100755 --- a/ShadowArch/shadowarch-tar-gen +++ b/ShadowArch/shadowarch-tar-gen @@ -1,2 +1,3 @@ #!/bin/bash -tar cvf /srv/http/aninix.net/shadowarch.tar /etc/vimrc /etc/skel +cd /etc/ +tar cvf /srv/http/aninix.net/shadowarch.tar vimrc skel bash.bashrc