qubes-remote-support-receiver-stop

#!/bin/bash

set -e

vm_name="$2"
if [ "$vm_name" = "" ]; then
    vm_name="sys-whonix"
fi

no_root_check() {
    if [ "$(id -u)" = "0" ]; then
        echo "ERROR: Do not run $0 as root / with sudo!" >&2
        exit 100
    fi
}

dom0_terminate_remote_support_provider_start() {
   ## This writes "KILLED" to the console where the start script has run.
   kill -s KILL $(pgrep -f qubes-remote-support-receiver-start) &>/dev/null || true
}

dom0_terminate_socat() {
   systemctl --user stop socat-9050 &>/dev/null || true
   systemctl --user reset-failed socat-9050 &>/dev/null || true
}

dom0_rpc_policy_setup() {
    local append_string

    if ! test -f "/etc/qubes-rpc/policy/qubes.ConnectTCP+22" ; then
        return 0
    fi

    append_string="$vm_name dom0 allow,target=dom0"

    old="$append_string"
    new=""
    file_name="/etc/qubes-rpc/policy/qubes.ConnectTCP+22"
    sudo --non-interactive sed -i "s/$old/$new/g" "$file_name" || true

    ## Debugging.
    #cat "/etc/qubes-rpc/policy/qubes.ConnectTCP+22"
}

start_vm() {
    if qvm-check --running "$vm_name" 2>/dev/null ; then
        echo "INFO: VM '$vm_name' already running, ok."
    else
        qvm-start "$vm_name" 2>/dev/null
    fi
}

vm_setup() {
    ## --pass-io is optional but useful for gathering debug output.

    qvm-run --user root --pass-io "$vm_name" "systemctl stop qubes-whonix-remote-support.service" >/dev/null

    qvm-run --user root --pass-io "$vm_name" "rm --force --verbose /usr/local/etc/torrc.d/43_remote_support_hs_autogen.conf" >/dev/null
    qvm-run --user root --pass-io "$vm_name" "rm --force --recursive --verbose /var/lib/tor/remote_support" >/dev/null
    qvm-run --user root --pass-io "$vm_name" "rm --force --recursive --verbose /var/lib/tor_autogen/remote_support" >/dev/null

    ## Check if Tor is running.
    if qvm-run --user root --pass-io "$vm_name" "systemctl --no-pager --no-block status tor@default.service" >/dev/null ; then
        ## Yes, Tor is running. Restart it to make Tor forget the onion v3 service.
        qvm-run --user root --pass-io "$vm_name" "systemctl restart tor@default.service" >/dev/null
    fi
}

dom0_sshd_setup() {
    mkdir -p ~/.ssh
    sudo --non-interactive chmod 700 ~/.ssh
    touch ~/.ssh/authorized_keys
    sudo --non-interactive chmod 600 ~/.ssh/*

    ## XXX: Should remove all keys from file ~/.ssh/authorized_keys that contain
    ## comment qubes-remote-support-receiver-auto-generated or delete whole file
    ## ~/.ssh/authorized_keys ?
    ##
    ## Deleting whole file ~/.ssh/authorized_keys seems more robust at the expense
    ## of advanced users and developers using custom (not by qubes-remote-support
    ## package) SSH servers.
    ##
    ## Alternatively, keys matching the SSH key comment
    ## "qubes-remote-support-receiver-auto-generated" could be removed too but
    ## that code is more fragile to race conditions. That is implemented now.
    sed -i '/qubes-remote-support-receiver-auto-generated/,+1 d' ~/.ssh/authorized_keys || true

    if test -f ~/.qubes-remote-support/sshd_was_already_running.status ; then
        echo "INFO: sshd was previously running, therefore not stopping it, ok."
    else
        echo "INFO: sshd was not previously running, therefore stopping it, ok."
        sudo --non-interactive systemctl stop sshd.service
    fi
}

dom0_x2go_setup() {
    sudo --non-interactive systemctl stop x2gocleansessions.service
}

no_root_check
dom0_terminate_socat
dom0_terminate_remote_support_provider_start
dom0_rpc_policy_setup

dom0_sshd_setup
dom0_x2go_setup

start_vm
vm_setup

echo "INFO: Success, remote support received has been turned off."