in Tails, launch separate root process to do root stuff (#96)

2 files changed, 56 insertions, 43 deletions

diff --git a/onionshare/onionshare.py b/onionshare/onionshare.py
index 55fb0689..6ca1eebc 100644
--- a/onionshare/onionshare.py
+++ b/onionshare/onionshare.py
@@ -190,16 +190,6 @@ def page_not_found(e):
 def is_root():
     return os.geteuid() == 0
 
-def tails_open_port(port):
-    if get_platform() == 'Tails':
-        print translated("punching_a_hole")
-        subprocess.call(['/sbin/iptables', '-I', 'OUTPUT', '-o', 'lo', '-p', 'tcp', '--dport', str(port), '-j', 'ACCEPT'])
-
-def tails_close_port(port):
-    if get_platform() == 'Tails':
-        print translated("closing_hole")
-        subprocess.call(['/sbin/iptables', '-D', 'OUTPUT', '-o', 'lo', '-p', 'tcp', '--dport', str(port), '-j', 'ACCEPT'])
-
 def load_strings(default="en"):
     global strings
     try:
@@ -277,12 +267,42 @@ def start_hidden_service(port):
 
     return onion_host
 
+def tails_root():
+    # if running in Tails and as root, do only the things that require root
+    if get_platform() == 'Tails' and is_root():
+        parser = argparse.ArgumentParser()
+        parser.add_argument('port', nargs=1, help='Tails only: port for opening firewall, starting hidden service')
+        args = parser.parse_args()
+
+        try:
+            port = int(args.port[0])
+        except ValueError:
+            sys.stderr.write('Invalid value, port must be an integer\n')
+            sys.exit(-1)
+
+        # open hole in firewall
+        subprocess.call(['/sbin/iptables', '-I', 'OUTPUT', '-o', 'lo', '-p', 'tcp', '--dport', str(port), '-j', 'ACCEPT'])
+
+        # start hidden service
+        onion_host = start_hidden_service(port)
+        sys.stdout.write(onion_host)
+        sys.stdout.flush()
+
+        # close hole in firewall on shutdown
+        import signal
+        def handler(signum = None, frame = None):
+            subprocess.call(['/sbin/iptables', '-D', 'OUTPUT', '-o', 'lo', '-p', 'tcp', '--dport', str(port), '-j', 'ACCEPT'])
+            sys.exit()
+        for sig in [signal.SIGTERM, signal.SIGINT, signal.SIGHUP, signal.SIGQUIT]:
+            signal.signal(sig, handler)
+
+        # stay open until killed
+        while True:
+            time.sleep(1)
+
 def main():
     load_strings()
-
-    # check for root in Tails
-    if get_platform() == 'Tails' and not is_root():
-        sys.exit(translated("tails_requires_root"))
+    tails_root()
 
     # parse arguments
     parser = argparse.ArgumentParser()
@@ -309,19 +329,33 @@ def main():
     port = choose_port()
     local_host = "127.0.0.1:{0}".format(port)
 
-    if not local_only:
-        # try starting hidden service
-        print translated("connecting_ctrlport").format(port)
-        try:
-            onion_host = start_hidden_service(port)
-        except NoTor as e:
-            sys.exit(e.args[0])
+    if get_platform() == 'Tails':
+        # if this is tails, start the root process
+        #root_p = subprocess.Popen(['/usr/bin/gksudo', '-D', 'OnionShare', '--', '/usr/bin/onionshare', str(port)], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        root_p = subprocess.Popen(['/usr/bin/sudo', '--', '/usr/bin/onionshare', str(port)], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        stdout = root_p.stdout.read(22) # .onion URLs are 22 chars long
+
+        if stdout:
+            onion_host = stdout
+        else:
+            if root_p.poll() == -1:
+                sys.exit(root_p.stderr.read())
+            else:
+                sys.exit('Unknown error with Tails root process')
+    else:
+        # if not tails, start hidden service normally
+        if not local_only:
+            # try starting hidden service
+            print translated("connecting_ctrlport").format(port)
+            try:
+                onion_host = start_hidden_service(port)
+            except NoTor as e:
+                sys.exit(e.args[0])
 
     # startup
     print translated("calculating_sha1")
     filehash, filesize = file_crunching(filename)
     set_file_info(filename, filehash, filesize)
-    tails_open_port(port)
     print '\n' + translated("give_this_url")
     if local_only:
         print 'http://{0}/{1}'.format(local_host, slug)
@@ -334,8 +368,5 @@ def main():
     app.run(port=port)
     print '\n'
 
-    # shutdown
-    tails_close_port(port)
-
 if __name__ == '__main__':
     main()
diff --git a/onionshare/strings.json b/onionshare/strings.json
index 15be5dd5..fcf6a8c9 100644
--- a/onionshare/strings.json
+++ b/onionshare/strings.json
@@ -1,6 +1,4 @@
 { "en": {
-    "punching_a_hole": "Punching a hole in the firewall.",
-    "closing_hole": "Closing hole in firewall.",
     "calculating_sha1": "Calculating SHA1 checksum.",
     "connecting_ctrlport": "Connecting to Tor control port to set up hidden service on port {0}.",
     "cant_connect_ctrlport": "Cannot connect to Tor control port on port {0}. Is Tor running?",
@@ -20,8 +18,6 @@
     "choose_file": "Choose a file to share",
     "copy_url": "Copy URL"
 }, "no": {
-    "punching_a_hole": "Åpner port i brannmuren.",
-    "closing_hole": "Lukker port i brannmuren.",
     "calculating_sha1": "Kalkulerer SHA1 sjekksum.",
     "connecting_ctrlport": "Kobler til Tors kontroll-port for å sette opp en gjemt tjeneste på port {0}.",
     "cant_connect_ctrlport": "Klarte ikke å koble til Tors kontroll-porter {0}. Sjekk at Tor kjører.",
@@ -40,8 +36,6 @@
     "close_countdown": "Lukker om {0} sekunder",
     "choose_file": "Velg en fil å dele"
 }, "es": {
-    "punching_a_hole": "Abriendo un agujero en el cortafuegos.",
-    "closing_hole": "Cerrando el agujero en el cortafuegos.",
     "calculating_sha1": "Calculando suma de verificación SHA1.",
     "connecting_ctrlport": "Conectando a puerto control de Tor para configurar servicio oculto en puerto {0}.",
     "cant_connect_ctrlport": "No se pudo conectar a puerto control de Tor en puertos {0}. ¿Está funcionando Tor?",
@@ -60,8 +54,6 @@
     "close_countdown": "Cierre en {0} segundos...",
     "choose_file": "Elija un archivo para compartir"
  }, "fr": {
-    "punching_a_hole": "Poinçonnage d'un trou dans le pare-feu.",
-    "closing_hole": "Trou de clôture dans le pare-feu.",
     "calculating_sha1": "Calculer un hachage SHA-1.",
     "connecting_ctrlport": "Connexion à réseau Tor utilisant les port {0}.",
     "cant_connect_ctrlport": "Réseau Tor indisponible sur le port {0}. Vous utilisez Tor?",
@@ -71,8 +63,6 @@
     "filesize": "Taille de fichier",
     "sha1_checksum": "SHA1 hachage"
 }, "it": {
-    "punching_a_hole": "Apertura della porta nel firewall.",
-    "closing_hole": "Chiusura della porta nel firewall.",
     "calculating_sha1": "Calcolo della firma SHA1.",
     "connecting_ctrlport": "Connessione alla porta di controllo di Tor per inizializzare il servizio nascosto sulla porta {0}.",
     "cant_connect_ctrlport": "Impossibile connettere alla porta di controllo di Tor tramite le porte {0}. Tor è stato avviato?",
@@ -91,8 +81,6 @@
     "close_countdown": "Chiusura in {0} secondi...",
     "choose_file": "Scegli un file da condividere"
 }, "nl": {
-    "punching_a_hole": "Een doorgang aan het maken in de firewall.",
-    "closing_hole": "Doorgang in de firewall sluiten.",
     "calculating_sha1": "SHA1 controlecijfer berekenen.",
     "connecting_ctrlport": "Verbinden met de Tor controle port om een verborgen service op te zetten op poort {0}.",
     "cant_connect_ctrlport": "Kan niet verbinden met de Tor controle poort op poorten {0}. Draait Tor?",
@@ -112,8 +100,6 @@
     "choose_file": "Kies betsand om te delen",
     "copy_url": "Kopieer URL"
 }, "pt": {
-    "punching_a_hole": "Abrindo um buraco no firewall.",
-    "closing_hole": "Fechando buraco no firewall.",
     "calculating_sha1": "Calculando checksum SHA1.",
     "connecting_ctrlport": "Conectando-se à porta de controle Tor para configurar serviço escondido na porta {0}.",
     "cant_connect_ctrlport": "Não pode conectar à porta de controle Tor na porta {0}. O Tor está rodando?",
@@ -132,8 +118,6 @@
     "close_countdown": "Fechando em {0} segundos...",
     "choose_file": "Escolhe um arquivo para compartilhar"
 }, "ru": {
-    "punching_a_hole": "Открытие порта в межсетевом экране.",
-    "closing_hole": "Закрытие порта в межсетевом экране.",
     "calculating_sha1": "Вычисляется SHA1 хешсумма.",
     "connecting_ctrlport": "Соединяемся с контрольным портом Tor для создания скрытого сервиса на порту {0}.",
     "cant_connect_ctrlport": "Невозможно соединиться с контрольным портом Tor на порту {0}. Tor запущен?",
@@ -153,8 +137,6 @@
     "choose_file": "Выберите файл",
     "copy_url": "Скопировать ссылку"
 }, "de": {
-    "punching_a_hole": "Schlage ein Loch in die Firewall.",
-    "closing_hole": "Schließe Loch in der Firewall.",
     "calculating_sha1": "Kalkuliere SHA1 Checksumme.",
     "connecting_ctrlport": "Verbinde zum Tor-Kontrollport um den versteckten Dienst auf Port {0} laufen zu lassen.",
     "cant_connect_ctrlport": "Konnte keine Verbindung zum Tor-Kontrollport auf Port {0} aufbauen. Läuft Tor?",