Copy of OpenOffice ChromeOSFlex Installer

#!/bin/bash
# This script performs a complete, secure setup of a Linux VM for use as a
# dedicated LibreOffice workstation. It installs LibreOffice, applies a
# locked-down user configuration, and then performs irreversible
# system and terminal hardening. [v24 - DIAGNOSTIC MODE]

# WARNING: This script performs destructive hardening and is irreversible.

LOG_FILE="/tmp/setup_log.txt"
exec > >(tee -a ${LOG_FILE}) 2>&1

echo "--- Secure LibreOffice Workstation Setup (DIAGNOSTIC MODE v24) ---"
echo "--- Logging output to ${LOG_FILE} ---"
echo "--------------------------------------------------------"

# --- Step 1: System Cleanup & LibreOffice Installation ---
echo "➡️ Step 1: Updating system and installing LibreOffice..."
echo "Checking for existing package manager locks..."
while sudo fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; do
    echo "Another package process is running. Waiting for it to finish..."
    sleep 2
done
echo "✅ Lock released. Proceeding with installation."
sudo apt-get update -y
sudo apt-get remove --purge -y vim vim-common vim-tiny
sudo apt-get install -y libreoffice
echo "✅ Tools installed."
echo "--------------------------------------------------------"

# --- Step 2: LibreOffice Hardening (Direct User Policy Lock) ---
echo "➡️ Step 2: Applying Application Security Hardening..."

# Reliably find the primary non-root user and their home directory.
PRIMARY_USER=$(getent passwd 1000 | cut -d: -f1)
if [ -z "$PRIMARY_USER" ]; then
    echo "❌ CRITICAL ERROR: Could not determine the primary user. Exiting."
    exit 1
fi
USER_HOME=$(getent passwd "$PRIMARY_USER" | cut -d: -f6)
echo "🎯 Target user identified as '$PRIMARY_USER' with home directory '$USER_HOME'."

USER_CONFIG_DIR="$USER_HOME/.config/libreoffice/4/user"
USER_POLICY_FILE="$USER_CONFIG_DIR/registrymodifications.xcu"

echo "🛡️ Removing any existing user configuration to ensure a clean slate..."
sudo -u "$PRIMARY_USER" rm -rf "$USER_HOME/.config/libreoffice/4"
sudo -u "$PRIMARY_USER" mkdir -p "$USER_CONFIG_DIR"

echo "🛡️ Generating and deploying locked-down user policy file..."

# Define the master configuration content
read -r -d '' LO_CONFIG << EOF
<?xml version="1.0" encoding="UTF-8"?>
<oor:modifications xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <oor:component-data oor:name="Common" oor:package="org.openoffice.Office"><node oor:name="Java"><prop oor:name="Enabled" oor:op="fuse"><value>false</value></prop></node><node oor:name="Linguistic"><node oor:name="General"><prop oor:name="SpellOnline" oor:op="fuse"><value>true</value></prop></node></node><node oor:name="Internet"><node oor:name="Settings"><prop oor:name="ooInetEnabled" oor:op="fuse"><value>false</value></prop></node></node><node oor:name="Update"><prop oor:name="Enabled" oor:op="fuse"><value>false</value></prop></node><node oor:name="Security"><node oor:name="Options"><prop oor:name="DisableSaveWithPassword" oor:op="fuse"><value>true</value></prop><prop oor:name="MacroSecurityLevel" oor:op="fuse"><value>3</value></prop></node></node></oor:component-data>
    <oor:component-data oor:name="UI" oor:package="org.openoffice.Office.UI"><node oor:name="Writer"><prop oor:name="UIName" oor:op="fuse"><value>org.openoffice.Office.UI.Notebookbar:TabbedFull</value></prop></node><node oor:name="Calc"><prop oor:name="UIName" oor:op="fuse"><value>org.openoffice.Office.UI.Notebookbar:TabbedFull</value></prop></node><node oor:name="Impress"><prop oor:name="UIName" oor:op="fuse"><value>org.openoffice.Office.UI.Notebookbar:TabbedFull</value></prop></node></oor:component-data>
    <oor:component-data oor:name="WriterGlobal" oor:package="org.openoffice.Office.Writer"><node oor:name="General"><prop oor:name="DefaultFilter" oor:op="fuse"><value>writer_MS_Word_2007-2021</value></prop></node></oor:component-data>
    <oor:component-data oor:name="CalcGlobal" oor:package="org.openoffice.Office.Calc"><node oor:name="General"><prop oor:name="DefaultFilter" oor:op="fuse"><value>calc_MS_Excel_2007-2021_XML</value></prop></node></oor:component-data>
    <oor:component-data oor:name="ImpressGlobal" oor:package="org.openoffice.Office.Impress"><node oor:name="General"><prop oor:name="DefaultFilter" oor:op="fuse"><value>impress_MS_PowerPoint_2007-2021_XML</value></prop></node></oor:component-data>
</oor:modifications>
EOF

# Write the configuration directly to the USER's policy file
echo "$LO_CONFIG" | sudo -u "$PRIMARY_USER" tee "$USER_POLICY_FILE" > /dev/null

# FINAL LOCK: Make the PARENT DIRECTORY read-only for the user.
echo "🛡️ Applying read-only lock to user configuration directory..."
sudo chmod 555 "$USER_CONFIG_DIR"

echo "✅ Step 2 complete. User's LibreOffice configuration is now permanently locked."
echo "--------------------------------------------------------"

# --- Step 3: System Finalization ---
echo "➡️ Step 3: Finalizing user environment..."
sudo -u "$PRIMARY_USER" mkdir -p "$USER_HOME/LibreOfficeDocs"
echo "✅ Created ~/LibreOfficeDocs directory."
sudo chmod -R a-x /home/*/*.sh 2>/dev/null || true
sudo update-desktop-database
echo "✅ Step 3 complete."
echo "--------------------------------------------------------"

# --- Step 4: Terminal Lockdown (COMMENTED OUT FOR DIAGNOSTICS) ---
echo "➡️ Step 4: Terminal Lockdown is currently DISABLED for diagnostics."
# # Layer 1: Lock terminal applications directly
# echo "🛡️ Removing execute permissions from terminal applications..."
# for term in /usr/bin/gnome-terminal /usr/bin/lxterminal /usr/bin/xfce4-terminal /usr/bin/tilix /usr/bin/konsole /usr/bin/xterm; do
#     [ -f "$term" ] && sudo chmod a-x "$term"
# done
# if [ -e "/usr/bin/x-terminal-emulator" ]; then
#     sudo chmod a-x /usr/bin/x-terminal-emulator
# fi
# # Layer 2: Create a .bashrc trap to exit any shell that does launch
# echo "🛡️ Creating .bashrc trap..."
# BASHRC_FILE="$USER_HOME/.bashrc"
# echo 'echo "🔒 Terminal access is disabled on this device."; sleep 2; exit' | sudo -u "$PRIMARY_USER" tee "$BASHRC_FILE" > /dev/null
# # Make the .bashrc file read-only and owned by root to prevent user changes.
# sudo chown root:root "$BASHRC_FILE"
# sudo chmod 444 "$BASHRC_FILE"
# echo "✅ Terminal lockdown complete."
echo "--------------------------------------------------------"

# --- Step 5: FINAL DESTRUCTIVE STEP (COMMENTED OUT FOR DIAGNOSTICS) ---
echo "➡️ Step 5: Destructive Hardening is currently DISABLED for diagnostics."
# echo "⚠️ This will permanently remove permissions from system tools."
# sleep 3
# # A) Disable non-essential services
# echo "🛡️ Disabling non-essential services..."
# sudo systemctl disable --now cups.service 2>/dev/null || true
# sudo systemctl disable --now avahi-daemon.service 2>/dev/null || true
# sudo systemctl mask getty@.service 2>/dev/null || true
# # B) Disable all non-essential command-line binaries
# echo "🛡️ Removing permissions from administrative and network tools..."
# # NOTE: We are NOT disabling Python, as LibreOffice depends on it.
# binaries_to_disable=(
#     /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg /usr/bin/add-apt-repository
#     /bin/nano /usr/bin/vi /usr/bin/vim /usr/bin/pico /bin/ed
#     /usr/bin/wget /usr/bin/curl /bin/ping /usr/bin/ssh /usr/bin/scp /usr/bin/sftp
#     /bin/top /usr/bin/htop /usr/bin/less /usr/bin/more
#     /usr/bin/perl
#     /usr/bin/gcc /usr/bin/g++ /usr/bin/make
#     /usr/bin/sudo
# )
# for bin_pattern in "${binaries_to_disable[@]}"; do
#     for bin_path in $bin_pattern; do
#         if [ -e "$bin_path" ]; then
#             sudo chmod 000 "$bin_path"
#             echo "🔒 Permanently Disabled: $bin_path"
#         fi
#     done
# done
# echo "✅ Destructive hardening complete."
echo "--------------------------------------------------------"
echo "🎉 Setup script finished in DIAGNOSTIC MODE."
echo "Terminal and system tools remain active for testing."
echo "You may now close this window."