On 9/3/20 12:44 AM, 'Ryan Tate' via qubes-users wrote:
I've started making special templateVMs where I install less trusted
software, typically closed source binaries or code distributed directly
from a vendor.
I am curious if others do this and if people think it adds much security
wise.
For example, in addition to vanilla fedora-32, where I will install any
number of packages from the standard repos, I have -
fedora-32-zoom (the proprietary videoconferencing software)
fedora-32-slack (the group chat app, installed from their own rpm)
fedora-32-print (had to run a Brother install tool to get printer
working, use it from my dvm-print wich is firewalled only to my local
printer ips)
fedora-32-media (has some proprietary media hnadling software)
I just don't like the idea of putting untrusted code in a templateVM
used by sensitive VMs. On the other hand, perhaps I worry too much, in
theory at least I do control when any given app is run? The Brother
install was a bash script run via sudo (!!) that could have done
anything but the others typically go in as rpm files via dnf, so
presumably (?) they can't just install untrusted services that get auto
launched.
Obviously this makes updates take longer, so it's got some cost.
Is this a wise approach? Or no? Thanks for any thoughts....
Ryan
Hi Ryan,
I do very similar things. I have a debian-media and a couple of other
specialised templates. Also, I have a Skype standalone VM as I didn't
want a whole template just for Skype.
I had to give up on my zoom standalone VM because my usb camera was
very flakey when attached via sys-usb. Works OK with skype, but
not zoom!?!
Mike
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c435d0d3-76c0-fd06-6cc4-a4006a17fad8%40keehan.net.
