On 7/28/19 10:23 PM, Jon deps wrote:
On 7/29/19 12:02 AM, Chris Laprise wrote:
On 7/28/19 4:55 PM, Jon deps wrote:
On 7/28/19 7:52 PM, Jon deps wrote:
On 7/28/19 1:36 AM, Chris Laprise wrote:
On 7/27/19 8:27 PM, Jon deps wrote:
pardon my non-sysadmin query :
any chance of some real world examples? quite a few new terms
there .
so install into Debian-9
but step 2 am already lost
eg how and where amd I "activating" vm-boot-protect in the
templatevm ?
or during install there is going to appear a choice of which
service to start , then when one opens a TBAVM based on the
specified Deb-9 template the protection work at that point ?
Go to the VM's Settings / Services tab, and add "vm-boot-protect"
as a service.
Can I install it in a fresh Deb-9 , and if its breaking things,
just delete the fresh Deb-9 template, or is it touching dom0 ?
It has a second-stage installation step that changes sudo/root
access inside the template. And for that new root config to work,
you have to add a couple dom0 config lines (it shows you the dom0
lines at the end of the install process).
If you remove the altered Deb-9, the dom0 config lines will stay
unless you change them back. However, in practice there is really
no impact on your unmodified templates, so whether or not to remove
the dom0 lines is a question of tidiness.
As an alternative, per the Readme step 3, you can sidestep the
whole sudo auth reconfiguration.
I guess once installed there is no un-installing ?
Currently there is no "purge everything" function or uninstall. You
can remove the service manually by deleting the following:
/lib/systemd/system/vm-boot-protect.service
/usr/lib/qubes/init/vm-boot-protect.sh
/etc/default/vms
I just ended up using vm-boot-protect-root for the sys-net and
sys-usb in qube settings services
per the "Where to use basic examples"
and vm-boot-protect for regular appVMs
think I'll skip it for anything else
sys-net is working (I am using fedora-30: because of the past clock
sync issue) otherwise Deb-9 but just curious what the
"additional networks VMs would be here" proxyVPNVMs ?
"The sys-net VM should work 'out of the box' with the
vm-boot-protect-root service via the included whitelist file.
Additional network VMs may require configuration, such as cp
sys-net.whitelist sys-net2.whitelist."
PS: the appVMs seem a bit slower to boot, but could be my
imagination ? :)
as expected, since my sys-net was not based on the template I
installed the script to ....
I installed it to a deb-9-clone and the disp-qubes-manager method
seems to be failing to update so typically when that happens I go
to a terminal in the template and do it manually usually it seems
to want -dist-upgrade , which presumably the disp-update has
issues with but after installing the script *
in the deb-9 template
$sudo apt-get update
fails with what looks like a script of having entered it
incorrectly 3 times
so sorry, but am I supposed to add vm-protect-root to the
template services as well or how to fix this ?
'vm-protect-root' doesn't match any service created by
Qubes-VM-hardening.
Adding vm-boot-protect or vm-boot-protect-root to the services of the
template is optional. You can use either one, but it will always
behave like plain vm-boot-protect in the template (the -root functions
don't make sense in templates).
I'm not clear on when/where you're using fedora-30. Note that install
step 3 is different for fedora.
With debian-9, if you're getting immediate errors from every 'sudo'
command, this would be expected if you chose to uninstall
'qubes-core-agent-passwordless-root' in install step 3 (this means no
more sudo!). But if you chose to auto-configure sudo, you will still
need to add the config lines to dom0 for sudo to work correctly
(otherwise, sudo will just give you errors); these lines are printed
in the shell at the end of the install process.
hence, my original query about 'examples' thanks in advance
Not sure what example you're looking for. In debian, the installer
asks you one question: 'Configure sudo authentication prompt now? (y/n)'.
After installing Qubes-VM-hardening with sudo auth configured, running
a command like 'sudo apt-get update' will cause a dom0 auth prompt
window to appear, at which point you can hit 'Enter' or click 'OK'.
Then the command will run normally.
At the vm-boot-protect level, you should see 'bin' automatically added
to your home dir, and doing an 'lsattr -a' will show a number of
files/dirs in home with the 'i' flag set.
At vm-boot-protect-root level, you should see a new dir
'/rw/vm-boot-protect' and it should contain 'BAK' and/or 'ORIG'
versions of config, bind-dirs and usrlocal.
1)
So, I chose 'yes' at the end of the script, for 'configure sudo
authentication prompt.
a) somehow I missed the 'several commands' to manually configure
in dom0 ; could you please tell me what they are ?
b) otherwise I guess I can try uninstalling -paswordless-root from
the debian-9 template
I wouldn't do the uninstall on top of the sudo reconfig (though you
might get an interesting result...).
The text printed at the end of install:
Done.
Next.... Enable auth prompts in dom0 with the following commands:
[user@dom0 ~]$ sudo su -
[root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
[root@dom0 /]# echo "\$anyvm dom0 ask,default_target=dom0" \
>/etc/qubes-rpc/policy/qubes.VMAuth
These are the same dom0 changes described in the doc page:
https://www.qubes-os.org/doc/vm-sudo/
BTW, if you don't remember seeing the dom0 instructions then something
might have gone wrong in the installer.
2) please disregard what I said about Fedora, my mistype of
'vm-protect-etc", and my 1st status report, when I was still trying
things out.
3) so no service needs to be added to either the Deb-9 template, NOR any
AppVMs based on the template?
a) installing howto says to "specify one of the services for your VMs"
I didn't say that. I said that specifying the Qubes services isn't
necessary for the template; it doesn't affect whether or not the
template-based VMs use those services.
4) Seems that it also breaks any appVMs using other Templates where the
script wasn't installed
No, it wouldn't do that.
so think I'm close to reinstalling rather than removing the 3
lines from dom0 referenced in your previous ; as sys-net is not working
based on a different template :) regards
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3447dd95-d5f5-c99c-0d4a-83fe111744dd%40posteo.net.
