[Pkg-anonymity-tools] [torbrowser-launcher] 01/04: Add debian/examples to show how to run torbrowser-launcher, confined with AppArmor, in Xephyr as another user. Read the README!

Holger Levsen holger at moszumanska.debian.org
Sat Aug 2 22:55:07 UTC 2014 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch debian
in repository torbrowser-launcher.

commit ec5a5f1c4df203b2a296364d3ba2a9d8d3c31131
Author: Holger Levsen <holger at layer-acht.org>
Date:   Sun Aug 3 00:16:25 2014 +0200

    Add debian/examples to show how to run torbrowser-launcher, confined with AppArmor, in Xephyr as another user. Read the README!
---
 debian/changelog                    |  2 ++
 debian/copyright                    | 25 ++++++++++++++++
 debian/examples/README              | 57 +++++++++++++++++++++++++++++++++++++
 debian/examples/tbb-in-xephyr       | 24 ++++++++++++++++
 debian/examples/tbb-l-wrapper       | 40 ++++++++++++++++++++++++++
 debian/torbrowser-launcher.examples |  1 +
 6 files changed, 149 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e5d9272..aa742dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ torbrowser-launcher (0.1.2-1) UNRELEASED; urgency=medium
   * Drop patch intrigeri_gh92-rework-AppArmor-profiles.patch.
   * Drop patch fix_typo_in_ppa_script.patch.
   * debian/control: Update Vcs-URLs to new git repo location in collab-maint.
+  * Add debian/examples to show how to run torbrowser-launcher, confined with
+    AppArmor, in Xephyr as another user. Read the README!
 
  -- Holger Levsen <holger at debian.org>  Sun, 27 Jul 2014 22:04:56 +0200
 
diff --git a/debian/copyright b/debian/copyright
index abeb822..e06be2c 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -85,3 +85,28 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
 
+Files: debian/examples/*
+Copyright: Copyright 2014 Holger Levsen <holger at debian.org>
+License: Expat
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/debian/examples/README b/debian/examples/README
new file mode 100644
index 0000000..29c7db7
--- /dev/null
+++ b/debian/examples/README
@@ -0,0 +1,57 @@
+torbrowser-launcher launcher scripts
+====================================
+
+These scripts are intended to run torbrowser-launcher (and thus torbrowser) as
+another user in an Xephyr window server running inside your normal Xorg
+session.
+
+They assume the following packages are installed:
+
+- torbrowser-launcher
+- apparmor
+- xserver-xephyr, awesome
+- sudo, slay, psmisc
+
+AppArmor should be enabled, but doesn't have to. I followed the HowTo from
+https://wiki.debian.org/AppArmor, which can be summed up as just adding one
+parameter to the kernel to enable it, followed by a reboot.
+
+On wheezy, I'm using backports for torbrowser-launcher and apparmor.
+
+The scripts assume they have been copied to /usr/local/bin/ and that there is a user
+called "foo" (for running the actuall torbrowser(-launcher) process, and that
+the current user has sudo rights for the following commands:
+
+- sudo -i -u foo /usr/local/bin/tbb-l-wrapper
+- sudo slay foo
+
+There are two scripts, tbb-in-xephyr and tbb-l-wrapper. Only tbb-in-xephyr is
+to be called directly and will result in torbrowser running in Xephyr.
+
+Known problems:
+---------------
+
+- dbus is not started, so some input methods won't work. (Personally I don't
+  want/need dbus though, so I'm awaiting a solution to
+  https://trac.torproject.org/projects/tor/ticket/10014)
+- not everybody likes awesome as the window manager being used ;)
+
+Ideas, questions and ToDo:
+--------------------------
+
+- maybe all of this functionality could be integrated into.
+  torbrowser-launcher itself, just writing this in shell was so easy.
+- or for the time being, merge these two scripts into one, doing both,
+  depending on how its called.
+- run this in an unprivileged LXC container, which is also apparmor confined.
+- (when) does this double confinement make sense?
+- use a more sensible named default user (instead of foo).
+- there should really be an option, so torbrowser-launcher doesn't detach
+  itself, so that this "while;ps fax|grep" hack can go away.
+- ship an usable sudoers.d example too.
+- support for more users / instances
+
+Feedback welcome, especially accompanied by patches! 
+
+
+-- Holger Levsen, holger at debian.org, last updated: 2014-08-02
diff --git a/debian/examples/tbb-in-xephyr b/debian/examples/tbb-in-xephyr
new file mode 100755
index 0000000..61c9e05
--- /dev/null
+++ b/debian/examples/tbb-in-xephyr
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+#
+#        (c) 2014 Holger Levsen         holger at layer-acht.org
+#        Expat licenced, see /usr/share/doc/torbrowser-launcher/copyright
+
+#
+# configuration
+#
+TBBUSER=foo
+RESOLUTION=1100x850
+
+#
+# run tbb-l-wrapper in Xephyr and kill Xephyr once torbrowser terminates
+#
+#set -x
+set -e
+Xephyr -ac -br -noreset -screen $RESOLUTION :1.0 &
+XEPHYR_PID=$!
+sleep 1
+sudo -i -u $TBBUSER /usr/local/bin/tbb-l-wrapper
+sudo slay $TBBUSER
+kill $XEPHYR_PID 
+echo voila.
diff --git a/debian/examples/tbb-l-wrapper b/debian/examples/tbb-l-wrapper
new file mode 100755
index 0000000..ec5853d
--- /dev/null
+++ b/debian/examples/tbb-l-wrapper
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+#
+#        (c) 2014 Holger Levsen         holger at layer-acht.org
+#        Expat licenced, see /usr/share/doc/torbrowser-launcher/copyright
+
+#
+# configuration
+#
+unset XAUTHORITY
+unset XDG_SESSION_COOKIE
+unset ftp_proxy
+unset http_proxy
+unset https_proxy
+unset SUDO_GID
+unset SUDO_UID
+unset SUDO_USER
+export
+export LANG=C
+
+#
+# run awesome, torbrowser-launcher, wait for it to terminate and then kill awesome
+#
+set -e
+set -x
+DISPLAY=:1.0 awesome &
+#DISPLAY=:1.0 dbus-launch &
+sleep 4
+export
+sleep 4
+DISPLAY=:1.0 torbrowser-launcher
+set +x
+while [ "$(ps fax -U $USER | grep start-tor-browser | grep -v grep | wc -l)" -eq 1 ] ; 
+	do sleep 2
+done
+set -x
+killall awesome || true
+#killall dbus-launch || true
+#killall dbus-daemon || true
+exit 0
diff --git a/debian/torbrowser-launcher.examples b/debian/torbrowser-launcher.examples
new file mode 100644
index 0000000..55b78ae
--- /dev/null
+++ b/debian/torbrowser-launcher.examples
@@ -0,0 +1 @@
+debian/examples/*

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/torbrowser-launcher.git

More information about the Pkg-anonymity-tools mailing list