forked from adrelanos/qubes-remote-support
-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
qubes-remote-support-receiver-stop
executable file
·111 lines (88 loc) · 3.56 KB
/
qubes-remote-support-receiver-stop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/bash
set -e
vm_name="$2"
if [ "$vm_name" = "" ]; then
vm_name="sys-whonix"
fi
no_root_check() {
if [ "$(id -u)" = "0" ]; then
echo "ERROR: Do not run $0 as root / with sudo!" >&2
exit 100
fi
}
dom0_terminate_remote_support_provider_start() {
## This writes "KILLED" to the console where the start script has run.
kill -s KILL $(pgrep -f qubes-remote-support-receiver-start) &>/dev/null || true
}
dom0_terminate_socat() {
systemctl --user stop socat-9050 &>/dev/null || true
systemctl --user reset-failed socat-9050 &>/dev/null || true
}
dom0_rpc_policy_setup() {
local append_string
if ! test -f "/etc/qubes-rpc/policy/qubes.ConnectTCP+22" ; then
return 0
fi
append_string="$vm_name dom0 allow,target=dom0"
old="$append_string"
new=""
file_name="/etc/qubes-rpc/policy/qubes.ConnectTCP+22"
sudo --non-interactive sed -i "s/$old/$new/g" "$file_name" || true
## Debugging.
#cat "/etc/qubes-rpc/policy/qubes.ConnectTCP+22"
}
start_vm() {
if qvm-check --running "$vm_name" 2>/dev/null ; then
echo "INFO: VM '$vm_name' already running, ok."
else
qvm-start "$vm_name" 2>/dev/null
fi
}
vm_setup() {
## --pass-io is optional but useful for gathering debug output.
qvm-run --user root --pass-io "$vm_name" "systemctl stop qubes-whonix-remote-support.service" >/dev/null
qvm-run --user root --pass-io "$vm_name" "rm --force --verbose /usr/local/etc/torrc.d/43_remote_support_hs_autogen.conf" >/dev/null
qvm-run --user root --pass-io "$vm_name" "rm --force --recursive --verbose /var/lib/tor/remote_support" >/dev/null
qvm-run --user root --pass-io "$vm_name" "rm --force --recursive --verbose /var/lib/tor_autogen/remote_support" >/dev/null
## Check if Tor is running.
if qvm-run --user root --pass-io "$vm_name" "systemctl --no-pager --no-block status tor@default.service" >/dev/null ; then
## Yes, Tor is running. Restart it to make Tor forget the onion v3 service.
qvm-run --user root --pass-io "$vm_name" "systemctl restart tor@default.service" >/dev/null
fi
}
dom0_sshd_setup() {
mkdir -p ~/.ssh
sudo --non-interactive chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
sudo --non-interactive chmod 600 ~/.ssh/*
## XXX: Should remove all keys from file ~/.ssh/authorized_keys that contain
## comment qubes-remote-support-receiver-auto-generated or delete whole file
## ~/.ssh/authorized_keys ?
##
## Deleting whole file ~/.ssh/authorized_keys seems more robust at the expense
## of advanced users and developers using custom (not by qubes-remote-support
## package) SSH servers.
##
## Alternatively, keys matching the SSH key comment
## "qubes-remote-support-receiver-auto-generated" could be removed too but
## that code is more fragile to race conditions. That is implemented now.
sed -i '/qubes-remote-support-receiver-auto-generated/,+1 d' ~/.ssh/authorized_keys || true
if test -f ~/.qubes-remote-support/sshd_was_already_running.status ; then
echo "INFO: sshd was previously running, therefore not stopping it, ok."
else
echo "INFO: sshd was not previously running, therefore stopping it, ok."
sudo --non-interactive systemctl stop sshd.service
fi
}
dom0_x2go_setup() {
sudo --non-interactive systemctl stop x2gocleansessions.service
}
no_root_check
dom0_terminate_socat
dom0_terminate_remote_support_provider_start
dom0_rpc_policy_setup
dom0_sshd_setup
dom0_x2go_setup
start_vm
vm_setup
echo "INFO: Success, remote support received has been turned off."