On 06/29/2017 09:09 AM, [email protected] wrote:
On Wednesday, June 28, 2017 at 4:21:36 PM UTC-4, Chris Laprise wrote:
On 06/28/2017 12:19 PM, [email protected] wrote:
Thanks, and point taken on not focusing on security implications.
I found a thread from last year where some third-party devs are concerned about
the implications of letting qvm-run -p run wild:
https://github.com/SietsevanderMolen/i3-qubes/issues/15
It's a good idea, but I think I'm looking for a more secure solution - if it's
out there.
IIUC, having dom0 parse the file list is whats worrying you? Otherwise,
passing data through dom0 (no parsing) should be considered secure.
You can have dom0 pipe between machines like so:
qvm-run -p sys-net "tar -cf - /etc/NetworkManager/system-connections" |
qvm-run -p sys-net-profiles "tar -xf -"
This entails a small amount of risk to the profiles VM (because tar file
is parsed there), but not to dom0.
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
So in this case, sys-net could return whatever malicious file it desired, it
would be passed through dom0 one character at a time without absolutely no
interpretation, ending up at the destination VM?
Or would dom0 collect the entire text of the file, and then pipe it in one
piece to the destination VM?
Transfer through pipe is done by character or block, so no expansion or
parsing in dom0 in this case.
Another idea is to cat all the files together in a single file with a
special separator like '!!!! filename' between them. Then you can pipe
them without tar and use a text sanitizer on the receiving VM before
separating them.
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d55f5cd1-9df5-1c8d-5c15-f771f159498d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
