resurecting welcome.sh

author: netblue30 <netblue30@protonmail.com> 2022-04-19 08:09:51 -0400
committer: netblue30 <netblue30@protonmail.com> 2022-04-19 08:09:51 -0400
commit: 37032636d46d3c592cbec1ae0a5781dfa4176d2a (patch)
tree: 494a040f58ffeedaf2e589aae4df17b4c7a02f53 /contrib
parent: build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (diff)
download: firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.tar.gz
firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.tar.zst
firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.zip
1 files changed, 0 insertions, 128 deletions
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh
deleted file mode 100755
index c9b6c450b..000000000
--- a/contrib/firejail-welcome.sh
+++ /dev/null
@@ -1,128 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2020-2022 Firejail Authors
-# License GPL v2
-if ! command -v zenity >/dev/null; then
-        echo "Please install zenity."
-        exit 1
-fi
-if ! command -v sudo >/dev/null; then
-        echo "Please install sudo."
-        exit 1
-fi
-export LANG=en_US.UTF8
-zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
-Welcome to firejail!
-This is a quick setup guide for newbies.
-Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
-<profile-name>.local in ~/.config/firejal.
-Firejail's own configuration can be found at /etc/firejail/firejail.config.
-Please note that running this script a second time can set new options, but does not unset options
-set in a previous run.
-Website: https://firejail.wordpress.com
-Bug-Tracker: https://github.com/netblue30/firejail/issues
-Documentation:
- https://github.com/netblue30/firejail/wiki
- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
- https://firejail.wordpress.com/documentation-2
- man:firejail(1) and man:firejail-profile(5)
-PS: If you have any improvements for this script, open an issue or pull request.
-EOM
-[[ $? -eq 1 ]] && exit 0
-sed_scripts=()
-read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
-<big><b>Should browsers be allowed to access u2f hardware?</b></big>
-EOM
-read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
-<big><b>Should browsers be able to play DRM content?</b></big>
-\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
-is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
-DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
-allow their execution. Clearly, this may help an attacker to start malicious code.
-NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
-HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
-EOM
-read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
-You maybe want to set some of these advanced options.
-EOM
-read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
-<big><b>Should most programs be started in firejail by default?</b></big>
-EOM
-read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
-In order to apply these changes, root privileges are required.
-You will now be asked to enter your password.
-EOM
-read -r -d $'\0' MSG_I_FINISH <<EOM
-🥳
-EOM
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
-        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
-fi
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
-        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
-fi
-advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
-        --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
-        --column="" --column=Option --column=Description <<EOM
-force-nonewprivs
-Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
-restricted-network
-Restrict all network related commands except 'net none' to root only.
-seccomp-error-action=kill
-Kill programs which violate seccomp rules (default: return a error).
-EOM
-)
-if [[ $advanced_options == *force-nonewprivs* ]]; then
-        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
-fi
-if [[ $advanced_options == *restricted-network* ]]; then
-        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
-fi
-if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
-        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
-fi
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
-        run_firecfg=true
-fi
-zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
-passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
-if [[ -n "${sed_scripts[*]}" ]]; then
-        sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
-fi
-if [[ "$run_firecfg" == "true" ]]; then
-        sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
-fi
-sudo -k
-unset passwd
-zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
author	netblue30 <netblue30@protonmail.com>	2022-04-19 08:09:51 -0400
committer	netblue30 <netblue30@protonmail.com>	2022-04-19 08:09:51 -0400
commit	37032636d46d3c592cbec1ae0a5781dfa4176d2a (patch)
tree	494a040f58ffeedaf2e589aae4df17b4c7a02f53 /contrib
parent	build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (diff)
download	firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.tar.gz firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.tar.zst firejail-37032636d46d3c592cbec1ae0a5781dfa4176d2a.zip

diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh deleted file mode 100755 index c9b6c450b..000000000 --- a/contrib/firejail-welcome.sh +++ /dev/null
@@ -1,128 +0,0 @@
1	#!/bin/bash
2
3	# This file is part of Firejail project
4	# Copyright (C) 2020-2022 Firejail Authors
5	# License GPL v2
6
7	if ! command -v zenity >/dev/null; then
8	echo "Please install zenity."
9	exit 1
10	fi
11	if ! command -v sudo >/dev/null; then
12	echo "Please install sudo."
13	exit 1
14	fi
15
16	export LANG=en_US.UTF8
17
18	zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
19	Welcome to firejail!
20
21	This is a quick setup guide for newbies.
22
23	Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
24	<profile-name>.local in ~/.config/firejal.
25
26	Firejail's own configuration can be found at /etc/firejail/firejail.config.
27
28	Please note that running this script a second time can set new options, but does not unset options
29	set in a previous run.
30
31	Website: https://firejail.wordpress.com
32	Bug-Tracker: https://github.com/netblue30/firejail/issues
33	Documentation:
34	- https://github.com/netblue30/firejail/wiki
35	- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
36	- https://firejail.wordpress.com/documentation-2
37	- man:firejail(1) and man:firejail-profile(5)
38
39	PS: If you have any improvements for this script, open an issue or pull request.
40	EOM
41	[[ $? -eq 1 ]] && exit 0
42
43	sed_scripts=()
44
45	read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
46	<big><b>Should browsers be allowed to access u2f hardware?</b></big>
47	EOM
48
49	read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
50	<big><b>Should browsers be able to play DRM content?</b></big>
51
52	\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
53	is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
54	DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
55	allow their execution. Clearly, this may help an attacker to start malicious code.
56
57	NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
58
59	HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
60	EOM
61
62	read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
63	You maybe want to set some of these advanced options.
64	EOM
65
66	read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
67	<big><b>Should most programs be started in firejail by default?</b></big>
68	EOM
69
70	read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
71	In order to apply these changes, root privileges are required.
72	You will now be asked to enter your password.
73	EOM
74
75	read -r -d $'\0' MSG_I_FINISH <<EOM
76	🥳
77	EOM
78
79	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
80	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
81	fi
82
83	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
84	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
85	fi
86
87	advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
88	--text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
89	--column="" --column=Option --column=Description <<EOM
90
91	force-nonewprivs
92	Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
93
94	restricted-network
95	Restrict all network related commands except 'net none' to root only.
96
97	seccomp-error-action=kill
98	Kill programs which violate seccomp rules (default: return a error).
99	EOM
100	)
101
102	if [[ $advanced_options == force-nonewprivs ]]; then
103	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
104	fi
105	if [[ $advanced_options == restricted-network ]]; then
106	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
107	fi
108	if [[ $advanced_options == seccomp-error-action=kill ]]; then
109	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
110	fi
111
112	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
113	run_firecfg=true
114	fi
115
116	zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
117
118	passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
119	if [[ -n "${sed_scripts[*]}" ]]; then
120	sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };
121	fi
122	if [[ "$run_firecfg" == "true" ]]; then
123	sudo -S -p "" -- firecfg <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };
124	fi
125	sudo -k
126	unset passwd
127
128	zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"