Re: [qubes-users] VPN with PPTP failing
> modprobe ip_conntrack_pptp > modprobe ip_nat_pptp > iptables -I FORWARD -p 47 -s X.X.X.X -J ACCEPT > What setup do I need for a ProxyVM? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/158c26eb-7ab2-4249-aa84-eb84640e2d36%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN ProxyVM rc.local
On 08/14/2016 04:52 PM, Paf LeGeek wrote: Hello ! I am trying to follow the steps in the link below to make a ProxyVpn with VPN autostart : https://www.qubes-os.org/doc/vpn/ But my rc.local does not start on my ProxyVM. I did the commands below on my Debian 8 Template VM : sudo chmod +x /etc/rc.local systemctl disable openvpn.service The rc.local service is enable. This is the result of ls -l : user@debian-8-vpn:~$ ls -l /etc/rc.local -rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local If I start the rc.local with sudo sh /etc/rc.local using the terminal on my ProxyVM, it's working. So, why my rc.local does not start automatically on my ProxyVM ? Thanks for your help. Hi, The vpn doc indicates /rw/config/rc.local (in the proxy vm) not /etc/rc.local. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/696aac79-0882-38a9-0f95-9da6e8747b77%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] grub2-mkconfig not found
On Saturday, August 13, 2016 at 5:45:58 PM UTC-4, Marek Marczykowski-Górecki wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Sat, Aug 13, 2016 at 06:53:20AM -0700, zackp...@gmail.com wrote: > > On Saturday, August 13, 2016 at 6:14:44 AM UTC-4, Marek > > Marczykowski-Górecki wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA256 > > > > > > On Sat, Aug 13, 2016 at 03:11:57AM -0700, Andrew David Wong wrote: > > > > On 2016-08-12 20:57, zackp...@gmail.com wrote: > > > > > Hi all, I'm a new qubes user and have been following the guides to get > > > > > trim enabled for the dom0. Everything seems to have gone smoothly > > > > > until the > > > > > grub steps. I can't find a grub.cfg file anywhere. The only > > > > > abnormality to > > > > > my installation is that it's UEFI. So the closest thing I did find to > > > > > this > > > > > was /boot/efi/EFI/qubes/xen.cfg which had the kernel line referenced > > > > > in the > > > > > trim guide. However, when I attempt to run grub2-mkconfig -o > > > > > /boot/efi/EFI/qubes/xen.cfg I get "grub2-mkconfig: command not found" > > > > > All > > > > > that is present in the /boot/grub2 folder is a themes folder. I am > > > > > using > > > > > the main dom0 terminal for all of this. > > > > > > > > > > Considering that everything boots fine, I'm hesitant to reinstall > > > > > grub2 (I > > > > > assume it would need to be grub2-efi in this case). Any clue as to > > > > > what's > > > > > going on? Thanks > > > > > > > > > > > > > I think grub2-mkconfig is not found because you're using UEFI rather > > > > than > > > > legacy boot. Are you getting your instructions from here? > > > > > > > > https://www.qubes-os.org/doc/disk-trim/ > > > > > > > > I think these instructions were written with legacy boot in mind. I'm > > > > not sure > > > > how to enable TRIM on UEFI (CCing Marek). > > > > > > Yes, on UEFI install /boot/efi/EFI/qubes/xen.cfg is the right file - you > > > need to edit it directly. > > > > > > - -- > > > Best Regards, > > > Marek Marczykowski-Górecki > > > Invisible Things Lab > > > A: Because it messes up the order in which people normally read text. > > > Q: Why is top-posting such a bad thing? > > > -BEGIN PGP SIGNATURE- > > > Version: GnuPG v2 > > > > > > iQEcBAEBCAAGBQJXrvMNAAoJENuP0xzK19csfqQH/0/P4FV8W2/pZhWaCeXfseqj > > > fw79GDTa5/ExjxSg4eehHDhHHVgG3kaeb0HafPvVnHS/DJuHzCG1Xrs1vyZJlPID > > > oCrH4FaaYQ2Che4L4D/Koh5lNEdEakKOrF7ILbTRN5u8Q4xvdM9KQ/paacCYkCDJ > > > YlYKELzyOZ1wkUvwttPynTANdrMlY797BHkHYHv2TbaMBTjw4EYmIs+VM9MRIWIv > > > Lis1hZn97y1z3ZIQglrQRCDLAmoNJPBsXRdMHjNyA5EeKQPX+fNxsE3/HIoqrIi3 > > > 3DHYzKIS/UBDFHOJXj7I3pK311fS1IcUlrbRCXJYCM0gF5A5EkWKxIj0ghV0YTI= > > > =uhvX > > > -END PGP SIGNATURE- > > > > So I'm editing the right file, that's all and good. Here's what I've done > > so far: > > > > #Find UUID of ssd > > ls /dev/mapper/luks-* > > #Set trim in crypttab > > sudo nano /etc/crypttab > > #Add "allow-discards" at end of entry for ssd with matching UUID > > #Set trim in fstab > > sudo nano /etc/fstab > > #Add "discard" after other flags (like "default") for everything but swap > > sudo nano /etc/lvm/lvm.conf > > #Change "issue_discards" from "0" to "1" > > #Add discard to grub > > sudo nano /boot/efi/EFI/qubes/xen.cfg > > #At the end of the kernel line, add "rd.luks.allow-discards=1" > > #Rebuild initramfs > > sudo dracut -H -f > > ##Check if discard (trim) is enabled: > > lsblk -D > > #OR > > sudo dmsetup table > > > > Everything above works except that lsblk still shows no trim support so I > > guess that the rebuilding of grub is an important step in this. > > I think dracut by default place output file in > /boot/initramfs-(kernel version), while on UEFI system bootloader loads > it from /boot/efi/EFI/qubes/. Try to copy it there. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJXr5UPAAoJENuP0xzK19csZGMH/RUxcWpX8666s3xhNptrw7NH > d5bgtzZu9kHWCGILyeLAmnJcW8y36VPMhdWcbyLcakh4WSKqPqIIqJeq+1CAm6bG > SRMTMnMTIjlQsP9ODNGFpS/JaW8tN6qQA4Cg33NSs92mlWIcRDy/ufb7A8S+NxEu > 0LssHH7A7y+aY13ZDy9osd3S/cKf1c8v/fQOTcg29QRq8hq0KKaD8J/a/xiCbvth > yc2eknJGOnG8j1Q3v3X6ByaA8StbmlR9LibkmSH7Y8DV3cV7Rmbv/0M7IbSf7V7F > oeehHK+AhFHZLHidQUxd4UkIfI7CKymHyzHIqClYXvdjiZui5ClSvsLmJPR+ovw= > =jCSn > -END PGP SIGNATURE- I checked the date and time of creation of the initramfs file in the directories you specified and you are correct in that dracut created it in /boot. However, after copying it to /boot/efi/EFI/qubes and replacing the one there, there's still no trim support. Here's my output: sudo dmsetup table snapshot-fb01:3278378-fb01:3279033: 0 20971520 snapshot 7:7 7:8 P 256 qubes_dom0-swap: 0 15990784 linear 251:0 2048 qubes_dom0-root: 0 451420160 linear 251:0
Re: [qubes-users] Tool to record Whonix / Tor browsing history..?
On 08/14/2016 06:33 PM, Unman wrote: > On Fri, Aug 12, 2016 at 02:58:26PM +, Manuel Amador (Rudd-O) wrote: >> On 08/12/2016 01:39 PM, neilhard...@gmail.com wrote: >>> I would like to be able to do something like: >>> >>> 1. Use Whonix/Tor as a disposable VM >>> >>> 2. Record browsing history using an external software >>> >>> One of the reasons I don't use Tor that much (other than slow speed, >>> captchas etc) is because I actually want to have a record of the websites I >>> have visited. >>> >>> We know that it could be risky to have the Tor browser itself record >>> history, if it gets hacked. >>> >>> But to have some tool running outside of the VM would be useful.. >> >> For the same reason that attackers outside the VM can't see what you're >> visiting, you yourself won't be able to see it either. >> >> What you want is not doable. >> >> If you want to have a record of sites you visit, then tell the Tor >> Browser to record your browsing history, and hope that works for you. >> >> -- >> Rudd-O >> http://rudd-o.com/ >> > > It should be possible to insert a proxy between the browser and the Tor > gateway, and sniff the traffic there. > You could use a crafted tcpdump filter to some effect, but you wont just > get a record of websites, but all requests, so you will have to do some > post processing on the file to identify the websites. Not difficult, but > probably wont be exactly what you want. It will, of course, also include > all resource requests: that could be interesting, and might surprise > you. > > unman > I was thinking something like have the Tor Browser record history in a disposable VM, and have a Qubes RPC pull the Firefox profile to a separate VM. More options like parsing the SQLite database could be included to increase usability. https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data -- kulinacs-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/76bc7cdc-d0d9-faaa-27b1-292674c1900d%40kulinacs.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] VPN ProxyVM rc.local
On Sun, Aug 14, 2016 at 01:52:22PM -0700, Paf LeGeek wrote: > Hello ! > > I am trying to follow the steps in the link below to make a ProxyVpn with VPN > autostart : > https://www.qubes-os.org/doc/vpn/ > > But my rc.local does not start on my ProxyVM. > > I did the commands below on my Debian 8 Template VM : > > sudo chmod +x /etc/rc.local > systemctl disable openvpn.service > > The rc.local service is enable. > > This is the result of ls -l : > user@debian-8-vpn:~$ ls -l /etc/rc.local > -rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local > > > If I start the rc.local with sudo sh /etc/rc.local using the terminal on my > ProxyVM, it's working. > > So, why my rc.local does not start automatically on my ProxyVM ? > > Thanks for your help. > Hello. Do you see any errors re the VPN service? What is the content of your rc.local file? unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160814233906.GC4457%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Tool to record Whonix / Tor browsing history..?
On Fri, Aug 12, 2016 at 02:58:26PM +, Manuel Amador (Rudd-O) wrote: > On 08/12/2016 01:39 PM, neilhard...@gmail.com wrote: > > I would like to be able to do something like: > > > > 1. Use Whonix/Tor as a disposable VM > > > > 2. Record browsing history using an external software > > > > One of the reasons I don't use Tor that much (other than slow speed, > > captchas etc) is because I actually want to have a record of the websites I > > have visited. > > > > We know that it could be risky to have the Tor browser itself record > > history, if it gets hacked. > > > > But to have some tool running outside of the VM would be useful.. > > For the same reason that attackers outside the VM can't see what you're > visiting, you yourself won't be able to see it either. > > What you want is not doable. > > If you want to have a record of sites you visit, then tell the Tor > Browser to record your browsing history, and hope that works for you. > > -- > Rudd-O > http://rudd-o.com/ > It should be possible to insert a proxy between the browser and the Tor gateway, and sniff the traffic there. You could use a crafted tcpdump filter to some effect, but you wont just get a record of websites, but all requests, so you will have to do some post processing on the file to identify the websites. Not difficult, but probably wont be exactly what you want. It will, of course, also include all resource requests: that could be interesting, and might surprise you. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160814233352.GB4457%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN with PPTP failing
On Sat, Aug 13, 2016 at 03:22:16AM -0700, kotot...@gmail.com wrote: > Hi, > > I'm trying to setup a VPN connection with PPTP from sys-net (first tried with > the ProxyVM but it also didn't work) without success. > > Any help is welcome, here below the logs. > I also tried > > $ sudo modprobe nf_conntrack_pptp > > without success. > > I'm using the fedora template. > > Plugin /usr/lib64/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded. > using channel 9 > Using interface ppp0 > Connect: ppp0 <--> /dev/pts/1 > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > sent [LCP ConfReq id=0x1] > LCP: timeout sending Config-Requests > Connection terminated. > Modem hangup > Script /sbin/pptp 91.233.116.223 --nolaunchpppd --loglevel 2 --logstring > nm-pptp-service-5272 finished (pid 5281), status = 0x0 > My guess is that you are blocking the connection from the VPN server. PPTP requires you to allow inbound GRE traffic. If your server is at X.X.X.X, and the VPN client is attached to sys-net then you want something like this on sys-net: modprobe ip_conntrack_pptp modprobe ip_nat_pptp iptables -I FORWARD -p 47 -s X.X.X.X -J ACCEPT See if that helps. u -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160814231404.GA4457%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] installing Signal on Qubes mini-HOWTO
On 08/14/2016 05:22 PM, IX4 Svs wrote: > Just spent a few minutes to figure this out so I thought I'd share. > > If you're a Signal user on Android, you can now have Signal inside > Qubes. Here's how I did it: > > 1. Install the Chromium browser in your appvm template - skip if you > were already using it. Shut down the template VM. > 2. Create a new AppVM called Signal > 3. Launch Chromium browser in new VM, go to chrome://extensions/ in the > address bar and follow the link to the Chrome app store. > 4. In the app store, search for "Signal private messenger" and install > the app. > 5. The app launches automatically on first install. Follow the prompts > to "link" this app with your phone. > 6. At this stage Signal should work on your Qubes system. > > Let's make Signal a bit more usable by creating a shortcut in our > desktop panel that launches Signal directly. (this assumes KDE desktop > on Dom0) > > 7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal > -> Signal: Add more shortcuts... -> Select "Chromium web browser") > 8. Follow > http://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer- > to create a desktop shortcut > 9. Right-click on Chromium icon in panel, select "Icon Settings" > 10. Change the "Command" field of the "Application" tab to: qvm-run -a > --tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh > --profile-directory=Default --app-id=(long string which you'll get from > the properties of the desktop shortcut you created in step #7)' > 11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used > the following command to copy the icon file to Dom0: [user@dom0]$ > qvm-run --pass-io Signal 'cat > /home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png' >> /home/users/signal-icon.png > 12. Now you can change your new shortcut's icon from Chrome to Signal, > by pointing it to /home/users/signal-icon.png > > If anyone has a better way of creating a custom panel shortcut I'd love > to hear it. > > Cheers, > > Alex This is a really neat idea and guide, thanks for sharing it! It might be better to work with the way Qubes' handles the shortcuts internally. That documentation can be found here. https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1 If you dig through the GetAppMenus RPC, you'll see it (generally put) draws it source list from desktop files in /usr/share/applications. If you put a Signal .desktop file in there, you should (I think, untested) be able to simply use the GetAppMenus RPC. -- kulinacs-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dbd0f71c-ee9b-002f-519c-449fce6a83fd%40kulinacs.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] installing Signal on Qubes mini-HOWTO
Just spent a few minutes to figure this out so I thought I'd share. If you're a Signal user on Android, you can now have Signal inside Qubes. Here's how I did it: 1. Install the Chromium browser in your appvm template - skip if you were already using it. Shut down the template VM. 2. Create a new AppVM called Signal 3. Launch Chromium browser in new VM, go to chrome://extensions/ in the address bar and follow the link to the Chrome app store. 4. In the app store, search for "Signal private messenger" and install the app. 5. The app launches automatically on first install. Follow the prompts to "link" this app with your phone. 6. At this stage Signal should work on your Qubes system. Let's make Signal a bit more usable by creating a shortcut in our desktop panel that launches Signal directly. (this assumes KDE desktop on Dom0) 7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal -> Signal: Add more shortcuts... -> Select "Chromium web browser") 8. Follow http://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer- to create a desktop shortcut 9. Right-click on Chromium icon in panel, select "Icon Settings" 10. Change the "Command" field of the "Application" tab to: qvm-run -a --tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh --profile-directory=Default --app-id=(long string which you'll get from the properties of the desktop shortcut you created in step #7)' 11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used the following command to copy the icon file to Dom0: [user@dom0]$ qvm-run --pass-io Signal 'cat /home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png' > /home/users/signal-icon.png 12. Now you can change your new shortcut's icon from Chrome to Signal, by pointing it to /home/users/signal-icon.png If anyone has a better way of creating a custom panel shortcut I'd love to hear it. Cheers, Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTfaS67HUkT%2BZdMswPYqay6ttfSOktr6XwxxfnNytrbCRQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VPN ProxyVM rc.local
Hello ! I am trying to follow the steps in the link below to make a ProxyVpn with VPN autostart : https://www.qubes-os.org/doc/vpn/ But my rc.local does not start on my ProxyVM. I did the commands below on my Debian 8 Template VM : sudo chmod +x /etc/rc.local systemctl disable openvpn.service The rc.local service is enable. This is the result of ls -l : user@debian-8-vpn:~$ ls -l /etc/rc.local -rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local If I start the rc.local with sudo sh /etc/rc.local using the terminal on my ProxyVM, it's working. So, why my rc.local does not start automatically on my ProxyVM ? Thanks for your help. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ee0c3de-45e6-460f-aeb0-bfb72300ca74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Thinkpwn?
Just to clarify, that means that even if the UEFI is exploited, it does not matter with Qubes? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c5bacf8-8d1e-411a-8d2e-01f907b839d8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qubes-hcl-report Lenovo T540p
Hi list, I'm happy I now finally installed Qubes-OS on my notebook. Because of some issue with HDPI I installed the 3.2-rc2 and can tell everything work out of the box. Nice work Qubes-OS Team ;) The only thing I miss are the shortcuts from my Lenovo notebook like MIC on/off, maybe somebody have an idea about this. Regards York -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d6e97cec-76b4-7a18-1fba-26798af8c4a5%40cryptea.net. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-20BE00B8GE-20160814-185401.cpio.gz Description: application/gzip Qubes-HCL-LENOVO-20BE00B8GE-20160814-185401.yml Description: application/yaml
Re: [qubes-users] What exactly is stored in an App VM backup..?
OK, that's really nice to know that startup scripts are not saved. Really nice. The thing about having to shut down the VM is still annoying though. The other thing is, the progress bar for Qubes backups is very bad.. It stays at 0% for a long time, and then hours later, gets to 100%... There is not the kind of progressive movement that lets you know how long this is going to take. Apart from that though.. at least it's secure. That's the main thing I care about. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/797de76c-76ee-44fb-8917-6a29ce3652a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What exactly is stored in an App VM backup..?
On 08/14/2016 03:37 PM, neilhard...@gmail.com wrote: > But presumably this private.img is going to include things like: > > folder: /etc/init.d/ > > file: /etc/rc.local > > things like this, which are used to do start-up scripts. > No, it does not. Only root.img for templateVMs include such things; please refer to https://www.qubes-os.org/doc/template-implementation/ for more information on the overlayFS structure of block devices. > So anyone who hacked the VM might place some start-up scripts which > link to malware stored on the machine. These changes are not persisted, because they are not saved in the private.img file, if they are made on an appvm. > This is why I thought it would be better to use an internal Fedora > system to do the backup. > > Doing this would also prevent you from having to shut down your VM in > order to do the backup, which is a drain on productivity. You can use the backup system you like, or even a superposition of many. I myself use a staggered-and-timed syncthing mirror for quick recovery of user mistakes (everything is copied and kept 90 days, and 3 copies of every files are staggered, so accidental edits or deletions can be recovered if not too much time ago) and also the qubes backup system for disaster recovery. I like to protect against those two scenarios, and no tool covers both efficiently, so I use both. Me and a friend were thinking of preparing a duplicity-based appVM with beefy scripts which would be able to backup all the other appVMs and save a local USB hard drive or a remote, encrypted cloud storage (both standard functionality of duplicity), but eventually abandoned the project for lack of free time. That would have allowed for a centralized configuration and schedule point, while keeping the isolation Qubes provides. That could even be used, with some caveats (first and foremost, program data should be in a consistent state), with live AppVMs. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24135208-6e86-9073-e295-d5648e8f54e1%40gmx.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] What exactly is stored in an App VM backup..?
But presumably this private.img is going to include things like: folder: /etc/init.d/ file: /etc/rc.local things like this, which are used to do start-up scripts. So anyone who hacked the VM might place some start-up scripts which link to malware stored on the machine. So these are going to be backed up by the Qubes backup system. This is why I thought it would be better to use an internal Fedora system to do the backup. Doing this would also prevent you from having to shut down your VM in order to do the backup, which is a drain on productivity. --- Or am I wrong here..? Would this somehow not back up any start-up scripts...? Because that's what I'm worried about. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c45479a8-c541-47cc-a427-34d8d3379e3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What exactly is stored in an App VM backup..?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-14 05:56, neilhard...@gmail.com wrote: > I want to know.. what exactly is stored in an App VM backup..? > > When you back it up, and you have your single backup file, what is in that > file? > > Obviously, your personal files, like folder structure, Documents, > Downloads, Music etc. > > But how about programs..? Are programs stored in there, or are they only > stored in the template VM..? > > How about things like startup scripts, for example, a startup script that > may load up a virus..? Or are those just in the template VM..? > > I say this in terms of security... as to whether it is safe to back up an > App VM... or whether it's safer to back up the files from within the App VM > using some sort of Fedora tool... > > Thanks > No programs, just the AppVM's private.img file along with things like firewall.xml. You can explore the contents for yourself by following the instructions here: https://www.qubes-os.org/doc/backup-emergency-restore-v3/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXsG9AAAoJENtN07w5UDAwm9AP/A5337EdKJgC/nU0Smv1QJu0 KJUx8bpcgkRDP7PNjuaDTZRDBTcvLv+6wqstgls5PemfFybV/GTCCH0gHHQfOlY6 QQum0jhJ3uWI/dlkhYSxAlWFM44rqMyxz1jDZ/seKFd91VY6SSnu02mgG+jZqDDa vtfremssHveka9/7hRQEuisJV4Z2ug5BGAR2J0BD01lorQhe4Uxz5/YIum16krKY tBFU/zBwbpIu6U7c+TNl2WHYAI7mWZDs3UnQqDN0WmYnmJnghzAgRBGvhCBVgeTn iKnCZiKt+xw5ATlwsXyqADtISq1oWmknXbWEkLQsxlIeysS67NjYVOWJQrSL+pxf FrQIK3bkxDGVEyCWrNhArkiuYBJPFShXa/JvOQOFTFK4PxbYHuB2kOGOBcDs0THj EUKS0E1Hm6eqMEwGWsMWhaHxiw3Lnr6GOrpcCdmbdqUqnywJi+4m2MhPCn/+I7wZ ryGpT4l0o6Q8l5rkxA//0ksq1ey3J/5o6DUhmH6yTYpvX8fUdZQk46Z28nxv9yV4 oqQSwhdtpn+VaCwNtBW3hDCsh/bNEZr3+wlPiBOh0eG0jVtgWjVazEy6dfCrw9vu wg1XAaj6PnujjvVGZRFh/VgoqL0G5KQsV3LENCcYnGOucXF7sfrVJBJTRlSuav3/ lQyDEB1HxA8sjEtdSHet =wSdb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69e9ebd3-7567-82d6-6511-5feb67f17c77%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] What exactly is stored in an App VM backup..?
I want to know.. what exactly is stored in an App VM backup..? When you back it up, and you have your single backup file, what is in that file? Obviously, your personal files, like folder structure, Documents, Downloads, Music etc. But how about programs..? Are programs stored in there, or are they only stored in the template VM..? How about things like startup scripts, for example, a startup script that may load up a virus..? Or are those just in the template VM..? I say this in terms of security... as to whether it is safe to back up an App VM... or whether it's safer to back up the files from within the App VM using some sort of Fedora tool... Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2cf22885-9220-41e2-9a4a-5b6d529cf43e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.
Hi, again. Here you are full log attachment from normal user without sudo. It doesn't work too. http://pastebin.com/GQTN8zYx >^ > This is the problem. > You should call it from normal user, it will use sudo for those (few) > things that require root. Now you probably have files ownership screwed > up... The easiest way to fix is to remove and start again. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7881f80c-06b8-4400-aca1-cb2abd95bbc4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Assigning Drivers Help
Thanks, I appreciate the answer. You are right, it's more involved than I had realized and more involved than I'm willing to put up with. We've also got Nvidia cards, which don't seem to be working at all. I am disappointed, but I know how this goes. I hope the support is there at some point in the future, but in the meantime thanks for the Qubes that exists so far. I'm really excited about the tech and will at least be using it on my workstation. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAFVRnypGObkkko_zyopaif3%3D%2BqCLO6tdYX8a0fM8v7piYp_Hbw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.
File attached. Here is full log. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7098ca1-7506-42db-8e87-f67a14895aa2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. test Description: Binary data
Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.
Hi, Marek. Here installation from normal user. Full log attachment. > This is the problem. > You should call it from normal user, it will use sudo for those (few) = [user@arch-test ~]$ uname -a Linux arch-test 4.1.24-10.pvops.qubes.x86_64 #1 SMP Fri Jul 22 10:23:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [user@arch-test ~]$ ls Desktop Documents Downloads Music Pictures Public Templates Videos [user@arch-test ~]$ sudo dnf install git createrepo rpm-build make wget rpmdevtools python-sh dialog rpm-sign Last metadata expiration check: 0:01:00 ago on Sun Aug 14 14:38:44 2016. Package git-2.5.5-1.fc23.x86_64 is already installed, skipping. Package createrepo-0.10.3-3.fc21.noarch is already installed, skipping. Package make-1:4.0-5.1.fc23.x86_64 is already installed, skipping. Package wget-1.18-1.fc23.x86_64 is already installed, skipping. Dependencies resolved. PackageArch VersionRepository Size Installing: binutils x86_64 2.25-17.fc23 updates 5.6 M dialog x86_64 1.3-4.20160424.fc23updates 226 k dwzx86_64 0.12-1.fc23fedora 106 k ghc-srpm-macrosnoarch 1.4.2-2.fc23 fedora 8.2 k gnat-srpm-macros noarch 2-1.fc23 fedora 8.4 k go-srpm-macros noarch 2-3.fc23 fedora 8.0 k ocaml-srpm-macros noarch 2-3.fc23 fedora 8.1 k patch x86_64 2.7.5-2.fc23 fedora 123 k perl-generatorsnoarch 1.06-2.fc23updates 15 k perl-srpm-macros noarch 1-17.fc23 fedora 9.7 k python-sh noarch 1.11-1.fc23updates 49 k python-srpm-macros noarch 3-7.fc23 updates 8.1 k redhat-rpm-config noarch 36-1.fc23.1updates 59 k rpm-build x86_64 4.13.0-0.rc1.13.fc23 updates 137 k rpm-sign x86_64 4.13.0-0.rc1.13.fc23 updates 55 k rpmdevtoolsnoarch 8.9-1.fc23 updates 105 k xemacs-filesystem noarch 21.5.34-14.20160603hga561e02bb626.fc23 updates 21 k Transaction Summary Install 17 Packages Total download size: 6.5 M Installed size: 25 M Is this ok [y/N]: y Downloading Packages: (1/17): rpmdevtools-8.9-1.fc23.noarch.rpm 1.1 MB/s | 105 kB 00:00 (2/17): rpm-build-4.13.0-0.rc1.13.fc23.x86_64.r 1.2 MB/s | 137 kB 00:00 (3/17): patch-2.7.5-2.fc23.x86_64.rpm 1.0 MB/s | 123 kB 00:00 (4/17): python-sh-1.11-1.fc23.noarch.rpm649 kB/s | 49 kB 00:00 (5/17): rpm-sign-4.13.0-0.rc1.13.fc23.x86_64.rp 915 kB/s | 55 kB 00:00 (6/17): dialog-1.3-4.20160424.fc23.x86_64.rpm 2.3 MB/s | 226 kB 00:00 (7/17): xemacs-filesystem-21.5.34-14.20160603hg 250 kB/s | 21 kB 00:00 (8/17): perl-generators-1.06-2.fc23.noarch.rpm 345 kB/s | 15 kB 00:00 (9/17): redhat-rpm-config-36-1.fc23.1.noarch.rp 1.4 MB/s | 59 kB 00:00 (10/17): dwz-0.12-1.fc23.x86_64.rpm 1.6 MB/s | 106 kB 00:00 (11/17): ghc-srpm-macros-1.4.2-2.fc23.noarch.rp 327 kB/s | 8.2 kB 00:00 (12/17): gnat-srpm-macros-2-1.fc23.noarch.rpm 1.0 MB/s | 8.4 kB 00:00 (13/17): ocaml-srpm-macros-2-3.fc23.noarch.rpm 786 kB/s | 8.1 kB 00:00 (14/17): go-srpm-macros-2-3.fc23.noarch.rpm 422 kB/s | 8.0 kB 00:00 (15/17): python-srpm-macros-3-7.fc23.noarch.rpm 390 kB/s | 8.1 kB 00:00 (16/17): perl-srpm-macros-1-17.fc23.noarch.rpm 424 kB/s | 9.7 kB 00:00 (17/17): binutils-2.25-17.fc23.x86_64.rpm 7.6 MB/s | 5.6 MB 00:00 Total 1.6 MB/s | 6.5 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : python-srpm-macros-3-7.fc23.noarch 1/17 Installing : perl-srpm-macros-1-17.fc23.noarch 2/17 Installing : ocaml-srpm-macros-2-3.fc23.noarch 3/17 Installing : go-srpm-macros-2-3.fc23.noarch 4/17 Installing : gnat-srpm-macros-2-1.fc23.noarch 5/17 Installing : ghc-srpm-macros-1.4.2-2.fc23.noarch
Re: [qubes-users] Customizing DisposableVM Menu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-13 20:53, Daniel Franke wrote: > /13/16, Andrew David Wongwrote: >> Which Qubes release and desktop environment are you using? > > I'm on 3.2-rc2 under Xfce. > Ok, well, the process should be similar. It's really more of an Xfce issue than a Qubes issue, so you may want to have a look at their documentation or just play around with it. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXsB+6AAoJENtN07w5UDAw0B4P/3NTYnghkLNOlOiE/kCL5t7P JzdtvhYILMQ3Hf9x4c/mbkDDSKA8FjoV9X0kg3gvMHVytV9ekcNBsJX/xU1cRKha VWIjYTGKfX9JgVedGPYHvlWoSZEG07WPHceE4NJJ7AGBt1DrA0zLs+rsSEL8d2rb +TeqOyTwsyosFTDjYe1+/RODozogzYJPHgdsk6EfQfQ9mAjoFeUHGnALHzlF2TFt Myp4AHhqa48t7wmTHUadqQEmbQlJwVZKwbOVRJwTW1E8ZiVc2nQBtM1XMs+NKNbE e/GxPo9rP3JSEXsEylk+2qvrPBMVwo0h5navvENTyA926XS4qcc1pngboA4H/H6n FmeZZ/3i9RIviFbRAM8alfh1Vfz+5KjY0ijZN0+rLP7uVGrqAdIYeMs7raegZNZb uVquLkob4yOAVmuTmaK3cGGQ1dFwXxcZFfuojZ4kmzc/2N2cky6TitihaqWRqu7w /KpAc8UlhKWpF4J0rugInskosffJRLFSLQoD3WyZoppDU5u3RkY3EHcqSESGFk+D AXSUwsc5EAjMtiYUpflXdQ88KZAr7FmVG/5hrkIvSTzuzSfqczn6dlaqb2fGklWB Ew0SFqOtU6O3xLNMWwd7cN3Djh083a/g3C9YYnJdSbsw1qY1kgH+ryoqTa+T9kZ4 Jy+AjSiUt8N9trhEXcPE =VVcM -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dfe60f30-1240-1d7a-5751-cc387999b8a8%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.