AniNIX/ShadowArch
AniNIX/ShadowArch
3
0
Fork 0
Code Issues 1 Pull Requests 1 Releases Wiki Activity

CVE-2016-4484

Browse Source
This commit is contained in:
DarkFeather 2016-11-16 16:23:52 -06:00
parent ce8320ce2e
commit 8874a42107
5 changed files with 132 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Admin/arch-update
View File

@ -5,7 +5,8 @@ date > $LOGFILE
# Update # Update
echo == Updating Arch Packages == >> $LOGFILE echo == Updating Arch Packages == >> $LOGFILE
pacman -Syu --noconfirm 2>&1 >> $LOGFILE # pacman -Syu --noconfirm 2>&1 >> $LOGFILE # I've been having troubles with this causing crashes while online.
checkupdates >> $LOGFILE
echo >> $LOGFILE echo >> $LOGFILE
# Get AUR list of update candidates # Get AUR list of update candidates
@ -13,11 +14,6 @@ echo == AUR Candidate List == >> $LOGFILE
cower -u >> $LOGFILE cower -u >> $LOGFILE
echo >> $LOGFILE echo >> $LOGFILE
# Clean cache
echo == Cleaning Cache == >> $LOGFILE
paccache -r >> $LOGFILE
echo >> $LOGFILE
# Generate list of installed packages # Generate list of installed packages
echo == Generated installed-packages list == >> $LOGFILE echo == Generated installed-packages list == >> $LOGFILE
pacman --color never -Qem > /var/log/installed-packages.txt pacman --color never -Qem > /var/log/installed-packages.txt
@ -30,4 +26,4 @@ echo >> $LOGFILE
date >> $LOGFILE date >> $LOGFILE
printf '\n\n' >> $LOGFILE printf '\n\n' >> $LOGFILE
cat $LOGFILE | mail -s "AniNIX::$(hostname) update log" sh1k0b4@gmail.com cat $LOGFILE | mail -s "AniNIX::$(hostname) Update Candidates" sh1k0b4@gmail.com

32
Admin/silent-guardian
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
DEPRIV=depriv
if [ ! -f /usr/local/src/SharedLibraries/Bash/header ]; then if [ ! -f /usr/local/src/SharedLibraries/Bash/header ]; then
echo This script requires the SharedLibraries package. echo This script requires the SharedLibraries package.
exit 1; exit 1;
@ -7,27 +7,29 @@ fi
source /usr/local/src/SharedLibraries/Bash/header source /usr/local/src/SharedLibraries/Bash/header
export logfile="/var/log/silent-guardian.log" export logfile="/var/log/silent-guardian.log"
logstatement "Started $(date)" logstatement "Started $(date)"
# Fix the Webserver permissions # Fix the Webserver permissions
chown -R cxford:http /srv/http/* if [ -f /srv/http ]; then
chown -R $DEPRIV:http /srv/http/*
find /srv/http/* -type f -exec chmod 0640 {} \; find /srv/http/* -type f -exec chmod 0640 {} \;
find /srv/http/* -type d -exec chmod 0750 {} \; find /srv/http/* -type d -exec chmod 0750 {} \;
fi;
# Fix the media permissions # Fix the media permissions
chown -R cxford:http /srv/yggdrasil if [ -f /usr/lib/systemd/system/yggdrasil.service ]; then
find /srv/yggdrasil/ -type f -exec chmod 0440 {} \; chown -R $DEPRIV:http /srv/yggdrasil
find /srv/yggdrasil/ -type d -exec chmod 0550 {} \; /usr/local/bin/yggdrasil-lock
chmod -R u+w /srv/yggdrasil/new_acquisition fi
# fix the WolfPack results location # fix the WolfPack results location
find /srv/WolfPackResults -type d -exec chmod 0755 {} \; if [ -x /usr/local/bin/wolfpack ]; then
find /srv/WolfPackResults -type f -exec chmod 0644 {} \; find /srv/wolfpack -type d -exec chmod 0755 {} \;
find /srv/wolfpack -type f -exec chmod 0644 {} \;
fi
# Seal the special directories. # Seal the special directories.
for i in $(ls -a /srv/yggdrasil/Digital_Library/ | egrep '^\.[a-zA-Z0-9]+$'); do for i in $(ls -a /srv/yggdrasil/Digital_Library/ | egrep '^\.[a-zA-Z0-9]+$'); do
chown cxford:cxford -R $i; chown $DEPRIV:$DEPRIV -R $i;
find $i -type f -exec chmod 0400 {} \; find $i -type f -exec chmod 0400 {} \;
find $i -type d -exec chmod 0500 {} \; find $i -type d -exec chmod 0500 {} \;
done done
@ -39,11 +41,17 @@ find /root -type d -exec chmod 0700 {} \;
# Guard home directories # Guard home directories
chmod 0750 /home/* chmod 0750 /home/*
chmod 0700 /home/.root-only/
# Guard API's # Guard API's
if [ -f /usr/local/bin/api-keys ]; then
chmod 0750 /usr/local/bin/api-keys chmod 0750 /usr/local/bin/api-keys
chown root:api /usr/local/bin/api-keys chown root:api /usr/local/bin/api-keys
fi
# Guard LDAP
if [ -d /etc/openldap ]; then
chown ldap:ldap /var/lib/openldap/openldap-data/*
fi
logstatement "Ended $(date)" logstatement "Ended $(date)"
logstatement " " logstatement " "

33
ShadowArch/Makefile
View File

@ -1,29 +1,24 @@
HTTPROOT = "/srv/http/aninix.net" HTTPROOT = /srv/http/aninix.net
HTTPUSER = http HTTPUSER = http
echoroot:
@echo ${HTTPROOT}
@echo ${HTTPUSER}
compile: compile:
@echo Nothing to do. @echo Nothing to do.
install: script webpresent install: script webpresent checkperm
cp ./shadowarch-tar-gen /root/bin
/root/bin/shadowarch-tar-gen
cp ./shadowarch ${HTTPROOT}
checkperm:
chmod 0700 /root/bin/shadowarch-tar-gen
chown root:root /root/bin/shadowarch-tar-gen
chmod 0755 ${HTTPROOT}/shadowarch
chown ${HTTPUSER} ${HTTPROOT}/shadowarch
test: test:
./shadowarch -h ./shadowarch -h
reverse: reverse: ${HTTPROOT}/shadowarch /root/bin/shadowarch-tar-gen
cp ${HTTPROOT}/shadowarch . cp ${HTTPROOT}/shadowarch .
cp /root/bin/shadowarch-tar-gen .
webpresent: shadowarch
/root/bin/shadowarch-tar-gen
cp ./shadowarch ${HTTPROOT}
chown ${HTTPUSER} ${HTTPROOT}/shadowarch
script: shadowarch-tar-gen
cp shadowarch-tar-gen /root/bin
chmod 0700 /root/bin/shadowarch-tar-gen
chown root:root /root/bin/shadowarch-tar-gen

123
ShadowArch/shadowarch
View File

@ -8,34 +8,42 @@ function header () {
return return
} }
function help() { function help() {
echo Usage: ${0} '[-d /dev/somedisk] [-e] [-g] [-p] [-s]' echo Usage: ${0} '[OPTIONS]'
echo " ${0}" '-h' echo '\-d DISK -- Use the disk.'
echo '-d Specify disk to install to.' echo '\-e -- Encrypt the root partition'
echo '-e Encrypt the root partition' echo '\-g -- GUI packages and setup'
echo '-g Add GUI packages' echo '\-h -- This helptext'
echo '-h Get help' echo '\-k -- Kali Linux-like package additions'
echo '-p Add productivity packages' echo '\-p -- Productivity package additions'
echo '-s Create a layout for an AniNIX::Spartacus' echo '\-s -- Create a layout for an AniNIX::Spartacus'
echo '\-m -- Skip disk operations and assume storage is mounted on /mnt'
echo '\-z -- Try to add all the packages on AniNIX::Core'
exit 1; exit 1;
} }
spartacus=0; spartacus=0;
encrypt=0; encrypt=0;
gui=0; gui=0;
kali=0;
kitchensink=0;
productivity=0; productivity=0;
disk="/dev/sda" disk="/dev/sda"
nodiskbuild=0;
bootpart=1; bootpart=1;
rootpart=2; rootpart=2;
datapart=99; datapart=99;
# TODO Add LVM as an argument # TODO Add LVM as an argument
while getopts "ed:ghps" OPTION while getopts "ed:gps" OPTION
do do
case $OPTION in case $OPTION in
e) encrypt=1 ;;
d) disk=${OPTARG} ;; d) disk=${OPTARG} ;;
e) encrypt=1 ;;
g) gui=1 ;; g) gui=1 ;;
k) kali=1 ;;
p) productivity=1; gui=1 ;; p) productivity=1; gui=1 ;;
m) nodiskbuild=1 ;;
s) spartacus=1 ;; s) spartacus=1 ;;
z) kitchensink=1 ;;
*) help *) help
esac esac
done done
@ -45,7 +53,9 @@ echo Spartacus set to: $spartacus
echo Encryption set to: $encrypt echo Encryption set to: $encrypt
echo GUI: $gui echo GUI: $gui
echo Productivity: $productivity echo Productivity: $productivity
echo Disk to use: $disk echo Kali tools: $kali
echo All Core packages: $kitchensink
echo Disk to use: $disk \(Skip disk building? $nodiskbuild \)
printf "Is this OK? Type YES to continue: " printf "Is this OK? Type YES to continue: "
read answer read answer
if [ "$answer" != "YES" ]; then if [ "$answer" != "YES" ]; then
@ -53,9 +63,10 @@ if [ "$answer" != "YES" ]; then
exit 1; exit 1;
fi fi
pacman -Syy pacman -Syy
if [ "$nodiskbuild" -eq 0 ]; then
header Allocating space header Allocating space
dd if=/dev/zero of="$disk" bs=1 count=2000000 # "$(fdisk -l "$disk" | head -n 1 | cut -f 5 -d ' ')" dd if=/dev/zero of="$disk" bs=1 count=2000000 # "$(fdisk -l "$disk" | head -n 1 | cut -f 5 -d ' ')"
if [ $spartacus -eq 1 ]; then if [ "$spartacus" -eq 1 ]; then
# Insert an ExFAT data partition ahead of the rest. # Insert an ExFAT data partition ahead of the rest.
export datapart=1; export datapart=1;
export bootpart=$((bootpart+1)) export bootpart=$((bootpart+1))
@ -80,7 +91,7 @@ mkfs.ext4 "$disk""$bootpart"
tune2fs -L "BOOT" "$disk""$bootpart" tune2fs -L "BOOT" "$disk""$bootpart"
header Making root and mountpoints header Making root and mountpoints
if [ $encrypt -eq 1 ]; then if [ "$encrypt" -eq 1 ]; then
header Making encrypted root on "$disk""$rootpart" header Making encrypted root on "$disk""$rootpart"
modprobe dm-crypt modprobe dm-crypt
modprobe serpent_generic modprobe serpent_generic
@ -102,7 +113,8 @@ fi
mkdir /mnt/boot mkdir /mnt/boot
mount "$disk""$bootpart" /mnt/boot mount "$disk""$bootpart" /mnt/boot
if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi if [ "$?" -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
# Install ArchLinux with basic clients for the AniNIX Services. # Install ArchLinux with basic clients for the AniNIX Services.
# * git for Foundation # * git for Foundation
@ -111,20 +123,31 @@ if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
# * irssi for IRC # * irssi for IRC
# * make for source packages # * make for source packages
# * tor for anonymity # * tor for anonymity
header Installing ArchLinux to root header Installing ArchLinux to device\(s\) on /mnt
export pkglist="base base-devel parted net-tools bind-tools git openssh make lynx irssi vim wget tor torsocks grub os-prober" export pkglist="base base-devel parted net-tools bind-tools git openssh make lynx irssi vim wget tor torsocks grub os-prober rsync openntpd"
if [ $gui -eq 1 ]; then if [ "$gui" -eq 1 ]; then
export pkglist="$pkglist"" xorg-server xfce4 seamonkey conky" export pkglist="$pkglist"" xorg-server xfce4 seamonkey conky tigervnc"
fi fi
if [ $spartacus -eq 1 ]; then if [ "$spartacus" -eq 1 ]; then
export pkglist="$pkglist"" exfat-utils" export pkglist="$pkglist"" exfat-utils"
fi fi
if [ $productivity -eq 1 ]; then if [ "$productivity" -eq 1 ]; then
export pkglist="$pkglist"" libreoffice-still gimp feh vlc evince" export pkglist="$pkglist"" libreoffice-still gimp feh vlc evince"
fi fi
if [ "$kali" -eq 1 ]; then
export pkglist="$pkglist"" extundelete testdisk nmap tcpdump hexedit dcfldd"
if [ "$gui" -eq 1 ]; then
export pkglist=" wireshark-gtk"
else
export pkglist=" wireshark-cli"
fi
fi
if [ "$kitchensink" -eq 1 ]; then
export pkglist="base base-devel $(wget -q -O - 'https://aninix.net/installed-packages.txt' | cut -f 1 -d ' ' | tr '\n' ' ')"
fi
yes "" | pacstrap -i /mnt $pkglist yes "" | pacstrap -i /mnt $pkglist
if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi if [ $? -ne 0 ]; then header ERROR: Cannot continue -- pacstrap failed; exit 1; fi
header Create FSTAB header Create FSTAB
genfstab -U /mnt >> /mnt/etc/fstab genfstab -U /mnt >> /mnt/etc/fstab
@ -136,21 +159,27 @@ ln -s /usr/share/zoneinfo/America/Chicago /mnt/etc/localtime
arch-chroot /mnt hwclock --systohc --utc arch-chroot /mnt hwclock --systohc --utc
header Setup bootloader header Setup bootloader
if [ "$nodiskbuild" -eq 0 ]; then
export rootuuid="$(blkid "$disk""$rootpart" | cut -f 2 -d '"')" export rootuuid="$(blkid "$disk""$rootpart" | cut -f 2 -d '"')"
if [ $encrypt -eq 1 ]; then if [ "$encrypt" -eq 1 ]; then
export hookstring="$(grep 'HOOKS=' /mnt/etc/mkinitcpio.conf | grep -v '#')" export hookstring="$(grep 'HOOKS=' /mnt/etc/mkinitcpio.conf | grep -v '#')"
sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cryptdevice=UUID='$rootuuid':cryptroot"#' /mnt/etc/default/grub sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cryptdevice=UUID='$rootuuid':cryptroot"#' /mnt/etc/default/grub
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub # Fix for CVE-2016-4484
fi
fi fi
arch-chroot /mnt mkinitcpio -p linux arch-chroot /mnt mkinitcpio -p linux
if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
if [ "$nodiskbuild" -eq 0 ]; then
arch-chroot /mnt grub-install --target=i386-pc "$disk" arch-chroot /mnt grub-install --target=i386-pc "$disk"
if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
fi
arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
header Set networking header Set networking
arch-chroot /mnt systemctl enable openntpd
arch-chroot /mnt systemctl enable netctl arch-chroot /mnt systemctl enable netctl
export interface=$(ip link list | grep "state" | cut -f 2 -d ":" | cut -f 2 -d " " | grep -v lo) export interface=$(ip link list | grep "state" | cut -f 2 -d ":" | cut -f 2 -d " " | grep -v lo)
cp /mnt/etc/netctl/examples/ethernet-dhcp /mnt/etc/netctl/$interface cp /mnt/etc/netctl/examples/ethernet-dhcp /mnt/etc/netctl/$interface
@ -161,7 +190,7 @@ arch-chroot /mnt netctl enable $interface
# Set prompt and vimrc for ShadowArch # Set prompt and vimrc for ShadowArch
header Setting ShadowArch customizations. header Setting ShadowArch customizations.
echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\]) \[\033[00;36m\]\u \[\033[01;37m\]\d \T \[\033[00;35m\]\w\[\033[00;31m\] ] \n|\[\033[m\]> "' >> /mnt/etc/bash.bashrc echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\]) \[\033[00;36m\]\u \[\033[01;37m\]\d \t \[\033[00;35m\]\w\[\033[00;31m\] ] \n|\[\033[m\]> "' >> /mnt/etc/bash.bashrc
# TODO Find a way to set the terminal header properly # TODO Find a way to set the terminal header properly
#for i in $(grep PROMPT_COMMAND /mnt/etc/bash.bashrc); do #for i in $(grep PROMPT_COMMAND /mnt/etc/bash.bashrc); do
# sed -i 's/'"$i"'/PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'"'"'printf "\033]0;AniNIX::%s \134\134 %s in %s\007" "${HOSTNAME%%.*}" "${USER}" "${PWD/#$HOME/\~}"'"'"'/g' /etc/bash.bashrc # sed -i 's/'"$i"'/PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'"'"'printf "\033]0;AniNIX::%s \134\134 %s in %s\007" "${HOSTNAME%%.*}" "${USER}" "${PWD/#$HOME/\~}"'"'"'/g' /etc/bash.bashrc
@ -169,14 +198,17 @@ echo 'PS1="\[\033[00;31m\][ AniNIX::\h(\[\033[01;32m\]ShadowArch\[\033[00;31m\])
sed -i '/PS1=/d' /mnt/etc/skel/.bashrc sed -i '/PS1=/d' /mnt/etc/skel/.bashrc
cd /mnt/etc/ cd /mnt/etc/
wget https://aninix.net/shadowarch.tar wget https://aninix.net/shadowarch.tar
rm -Rf ./skel ./vimrc rm -Rf ./skel ./vimrc ./bash.bashrc
tar xvf /mnt/etc/shadowarch.tar tar xvf /mnt/etc/shadowarch.tar
cd /mnt/root for i in {a..z}; do
tar xvf /mnt/etc/shadowarch.tar cp /mnt/etc/skel/'.'"$i"* /mnt/root
rm shadowarch.tar done
rm /mnt/etc/shadowarch.tar
rmdir /mnt/root/skel
mkdir -p /usr/share/vim/vimfiles/plugin
printf 'set mouse-=a\n' > /usr/share/vim/vimfiles/plugin/shadowarch.vim
ln -sf /etc/skel/.bashrc /mnt/root/.bashrc
ln -s /etc/skel/.bashrc /mnt/root/.bashrc
# Set hostname # Set hostname
header Set hostname header Set hostname
@ -184,14 +216,29 @@ printf "What is your hostname? AniNIX::"
read hostname read hostname
echo "$hostname" > /mnt/etc/hostname echo "$hostname" > /mnt/etc/hostname
# Set password
header Set new root passphrase
arch-chroot /mnt passwd
# Clone ConfigPackags from AniNIX::Foundation # Clone ConfigPackags from AniNIX::Foundation
arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/ConfigPackages arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/ConfigPackages
arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/MiscScripts
arch-chroot /mnt make -C /usr/local/src/MiscScripts/Shared install
arch-chroot /mnt make -C /usr/local/src/MiscScripts/Admin install
arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/cower.git
arch-chroot /mnt useradd -m depriv
if [ $gui -eq 1 ]; then # Handle AUR Packages
if [ "$kali" -eq 1 ]; then
arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/autopsy.git
fi
# Set password
header Set new root passphrase and depriviledged user '(depriv)' password.
arch-chroot /mnt passwd
arch-chroot /mnt passwd depriv
arch-chroot /mnt chown -R depriv:depriv /usr/local/src/
cp /root/shadowarch /mnt/root/shadowarch.installer."$(date +%F-%R)"
if [ "$gui" -eq 1 ]; then
echo "Remember to install your graphics drivers! echo "Remember to install your graphics drivers!
For NVidia, look at xf86-video-nouveau For NVidia, look at xf86-video-nouveau
For AMD, look at xf86-video-amdgpu For AMD, look at xf86-video-amdgpu
@ -200,8 +247,14 @@ if [ $gui -eq 1 ]; then
For VMware, look at open-vm-tools" For VMware, look at open-vm-tools"
fi fi
header Installed ShadowArch! Press enter to reboot. header Installed ShadowArch\!
if [ "$nodiskbuild" -eq 1 ]; then
header Remember to run grub-install and set up your bootloader.
echo 'https://wiki.archlinux.org/index.php/Installation_guide#Boot_loader'
else
header Press enter to reboot.
read read
# Reboot # Reboot
shutdown -r now shutdown -r now
fi

3
ShadowArch/shadowarch-tar-gen
View File

@ -1,2 +1,3 @@
#!/bin/bash #!/bin/bash
tar cvf /srv/http/aninix.net/shadowarch.tar /etc/vimrc /etc/skel cd /etc/
tar cvf /srv/http/aninix.net/shadowarch.tar vimrc skel bash.bashrc