Re: [qubes-users] VPN with PPTP failing

2016-08-14 Thread kototamo 

> modprobe ip_conntrack_pptp
> modprobe ip_nat_pptp
> iptables -I FORWARD -p 47 -s X.X.X.X -J ACCEPT
> 

What setup do I need for a ProxyVM?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/158c26eb-7ab2-4249-aa84-eb84640e2d36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN ProxyVM rc.local

2016-08-14 Thread Chris Laprise 

On 08/14/2016 04:52 PM, Paf LeGeek wrote:

Hello !

I am trying to follow the steps in the link below to make a ProxyVpn with VPN 
autostart :
https://www.qubes-os.org/doc/vpn/

But my rc.local does not start on my ProxyVM.

I did the commands below on my Debian 8 Template VM :

sudo chmod +x /etc/rc.local
systemctl disable openvpn.service

The rc.local service is enable.

This is the result of ls -l :
user@debian-8-vpn:~$ ls -l /etc/rc.local
-rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local


If I start the rc.local with sudo sh /etc/rc.local using the terminal on my 
ProxyVM, it's working.

So, why my rc.local does not start automatically on my ProxyVM ?

Thanks for your help.


Hi,

The vpn doc indicates /rw/config/rc.local (in the proxy vm) not 
/etc/rc.local.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/696aac79-0882-38a9-0f95-9da6e8747b77%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] grub2-mkconfig not found

2016-08-14 Thread zackptg5 
On Saturday, August 13, 2016 at 5:45:58 PM UTC-4, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Sat, Aug 13, 2016 at 06:53:20AM -0700, zackp...@gmail.com wrote:
> > On Saturday, August 13, 2016 at 6:14:44 AM UTC-4, Marek 
> > Marczykowski-Górecki wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > > 
> > > On Sat, Aug 13, 2016 at 03:11:57AM -0700, Andrew David Wong wrote:
> > > > On 2016-08-12 20:57, zackp...@gmail.com wrote:
> > > > > Hi all, I'm a new qubes user and have been following the guides to get
> > > > > trim enabled for the dom0. Everything seems to have gone smoothly 
> > > > > until the
> > > > > grub steps. I can't find a grub.cfg file anywhere. The only 
> > > > > abnormality to
> > > > > my installation is that it's UEFI. So the closest thing I did find to 
> > > > > this
> > > > > was /boot/efi/EFI/qubes/xen.cfg which had the kernel line referenced 
> > > > > in the
> > > > > trim guide. However, when I attempt to run grub2-mkconfig -o 
> > > > > /boot/efi/EFI/qubes/xen.cfg I get "grub2-mkconfig: command not found" 
> > > > > All 
> > > > > that is present in the /boot/grub2 folder is a themes folder. I am 
> > > > > using
> > > > > the main dom0 terminal for all of this.
> > > > > 
> > > > > Considering that everything boots fine, I'm hesitant to reinstall 
> > > > > grub2 (I 
> > > > > assume it would need to be grub2-efi in this case). Any clue as to 
> > > > > what's 
> > > > > going on? Thanks
> > > > > 
> > > > 
> > > > I think grub2-mkconfig is not found because you're using UEFI rather 
> > > > than
> > > > legacy boot. Are you getting your instructions from here?
> > > > 
> > > > https://www.qubes-os.org/doc/disk-trim/
> > > > 
> > > > I think these instructions were written with legacy boot in mind. I'm 
> > > > not sure
> > > > how to enable TRIM on UEFI (CCing Marek).
> > > 
> > > Yes, on UEFI install /boot/efi/EFI/qubes/xen.cfg is the right file - you
> > > need to edit it directly.
> > > 
> > > - -- 
> > > Best Regards,
> > > Marek Marczykowski-Górecki
> > > Invisible Things Lab
> > > A: Because it messes up the order in which people normally read text.
> > > Q: Why is top-posting such a bad thing?
> > > -BEGIN PGP SIGNATURE-
> > > Version: GnuPG v2
> > > 
> > > iQEcBAEBCAAGBQJXrvMNAAoJENuP0xzK19csfqQH/0/P4FV8W2/pZhWaCeXfseqj
> > > fw79GDTa5/ExjxSg4eehHDhHHVgG3kaeb0HafPvVnHS/DJuHzCG1Xrs1vyZJlPID
> > > oCrH4FaaYQ2Che4L4D/Koh5lNEdEakKOrF7ILbTRN5u8Q4xvdM9KQ/paacCYkCDJ
> > > YlYKELzyOZ1wkUvwttPynTANdrMlY797BHkHYHv2TbaMBTjw4EYmIs+VM9MRIWIv
> > > Lis1hZn97y1z3ZIQglrQRCDLAmoNJPBsXRdMHjNyA5EeKQPX+fNxsE3/HIoqrIi3
> > > 3DHYzKIS/UBDFHOJXj7I3pK311fS1IcUlrbRCXJYCM0gF5A5EkWKxIj0ghV0YTI=
> > > =uhvX
> > > -END PGP SIGNATURE-
> > 
> > So I'm editing the right file, that's all and good. Here's what I've done 
> > so far: 
> > 
> > #Find UUID of ssd
> > ls /dev/mapper/luks-*
> > #Set trim in crypttab
> > sudo nano /etc/crypttab
> > #Add "allow-discards" at end of entry for ssd with matching UUID
> > #Set trim in fstab
> > sudo nano /etc/fstab
> > #Add "discard" after other flags (like "default") for everything but swap
> > sudo nano /etc/lvm/lvm.conf
> > #Change "issue_discards" from "0" to "1"
> > #Add discard to grub
> > sudo nano /boot/efi/EFI/qubes/xen.cfg
> > #At the end of the kernel line, add "rd.luks.allow-discards=1"
> > #Rebuild initramfs
> > sudo dracut -H -f
> > ##Check if discard (trim) is enabled:
> > lsblk -D
> > #OR
> > sudo dmsetup table
> > 
> > Everything above works except that lsblk still shows no trim support so I 
> > guess that the rebuilding of grub is an important step in this.
> 
> I think dracut by default place output file in
> /boot/initramfs-(kernel version), while on UEFI system bootloader loads
> it from /boot/efi/EFI/qubes/. Try to copy it there.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJXr5UPAAoJENuP0xzK19csZGMH/RUxcWpX8666s3xhNptrw7NH
> d5bgtzZu9kHWCGILyeLAmnJcW8y36VPMhdWcbyLcakh4WSKqPqIIqJeq+1CAm6bG
> SRMTMnMTIjlQsP9ODNGFpS/JaW8tN6qQA4Cg33NSs92mlWIcRDy/ufb7A8S+NxEu
> 0LssHH7A7y+aY13ZDy9osd3S/cKf1c8v/fQOTcg29QRq8hq0KKaD8J/a/xiCbvth
> yc2eknJGOnG8j1Q3v3X6ByaA8StbmlR9LibkmSH7Y8DV3cV7Rmbv/0M7IbSf7V7F
> oeehHK+AhFHZLHidQUxd4UkIfI7CKymHyzHIqClYXvdjiZui5ClSvsLmJPR+ovw=
> =jCSn
> -END PGP SIGNATURE-

I checked the date and time of creation of the initramfs file in the 
directories you specified and you are correct in that dracut created it in 
/boot. However, after copying it to /boot/efi/EFI/qubes and replacing the one 
there, there's still no trim support. Here's my output:

sudo dmsetup table
snapshot-fb01:3278378-fb01:3279033: 0 20971520 snapshot 7:7 7:8 P 256
qubes_dom0-swap: 0 15990784 linear 251:0 2048
qubes_dom0-root: 0 451420160 linear 251:0

Re: [qubes-users] Tool to record Whonix / Tor browsing history..?

2016-08-14 Thread Nicklaus McClendon 
On 08/14/2016 06:33 PM, Unman wrote:
> On Fri, Aug 12, 2016 at 02:58:26PM +, Manuel Amador (Rudd-O) wrote:
>> On 08/12/2016 01:39 PM, neilhard...@gmail.com wrote:
>>> I would like to be able to do something like:
>>>
>>> 1. Use Whonix/Tor as a disposable VM
>>>
>>> 2. Record browsing history using an external software
>>>
>>> One of the reasons I don't use Tor that much (other than slow speed, 
>>> captchas etc) is because I actually want to have a record of the websites I 
>>> have visited.
>>>
>>> We know that it could be risky to have the Tor browser itself record 
>>> history, if it gets hacked.
>>>
>>> But to have some tool running outside of the VM would be useful..
>>
>> For the same reason that attackers outside the VM can't see what you're
>> visiting, you yourself won't be able to see it either.
>>
>> What you want is not doable.
>>
>> If you want to have a record of sites you visit, then tell the Tor
>> Browser to record your browsing history, and hope that works for you.
>>
>> -- 
>> Rudd-O
>> http://rudd-o.com/
>>
> 
> It should be possible to insert a proxy between the browser and the Tor
> gateway, and sniff the traffic there.
> You could use a crafted tcpdump filter to some effect, but you wont just
> get a record of websites, but all requests, so you will have to do some
> post processing on the file to identify the websites. Not difficult, but
> probably wont be exactly what you want. It will, of course, also include
> all resource requests: that could be interesting, and might surprise
> you.
> 
> unman
> 

I was thinking something like have the Tor Browser record history in a
disposable VM, and have a Qubes RPC pull the Firefox profile to a
separate VM. More options like parsing the SQLite database could be
included to increase usability.
https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

-- 
kulinacs 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/76bc7cdc-d0d9-faaa-27b1-292674c1900d%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] VPN ProxyVM rc.local

2016-08-14 Thread Unman 
On Sun, Aug 14, 2016 at 01:52:22PM -0700, Paf LeGeek wrote:
> Hello !
> 
> I am trying to follow the steps in the link below to make a ProxyVpn with VPN 
> autostart :
> https://www.qubes-os.org/doc/vpn/
> 
> But my rc.local does not start on my ProxyVM.
> 
> I did the commands below on my Debian 8 Template VM :
> 
> sudo chmod +x /etc/rc.local
> systemctl disable openvpn.service
> 
> The rc.local service is enable.
> 
> This is the result of ls -l :
> user@debian-8-vpn:~$ ls -l /etc/rc.local
> -rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local
> 
> 
> If I start the rc.local with sudo sh /etc/rc.local using the terminal on my 
> ProxyVM, it's working.
> 
> So, why my rc.local does not start automatically on my ProxyVM ?
> 
> Thanks for your help.
> 

Hello.

Do you see any errors re the VPN service?
What is the content of your rc.local file?

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160814233906.GC4457%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tool to record Whonix / Tor browsing history..?

2016-08-14 Thread Unman 
On Fri, Aug 12, 2016 at 02:58:26PM +, Manuel Amador (Rudd-O) wrote:
> On 08/12/2016 01:39 PM, neilhard...@gmail.com wrote:
> > I would like to be able to do something like:
> >
> > 1. Use Whonix/Tor as a disposable VM
> >
> > 2. Record browsing history using an external software
> >
> > One of the reasons I don't use Tor that much (other than slow speed, 
> > captchas etc) is because I actually want to have a record of the websites I 
> > have visited.
> >
> > We know that it could be risky to have the Tor browser itself record 
> > history, if it gets hacked.
> >
> > But to have some tool running outside of the VM would be useful..
> 
> For the same reason that attackers outside the VM can't see what you're
> visiting, you yourself won't be able to see it either.
> 
> What you want is not doable.
> 
> If you want to have a record of sites you visit, then tell the Tor
> Browser to record your browsing history, and hope that works for you.
> 
> -- 
> Rudd-O
> http://rudd-o.com/
> 

It should be possible to insert a proxy between the browser and the Tor
gateway, and sniff the traffic there.
You could use a crafted tcpdump filter to some effect, but you wont just
get a record of websites, but all requests, so you will have to do some
post processing on the file to identify the websites. Not difficult, but
probably wont be exactly what you want. It will, of course, also include
all resource requests: that could be interesting, and might surprise
you.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160814233352.GB4457%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN with PPTP failing

2016-08-14 Thread Unman 
On Sat, Aug 13, 2016 at 03:22:16AM -0700, kotot...@gmail.com wrote:
> Hi,
> 
> I'm trying to setup a VPN connection with PPTP from sys-net (first tried with 
> the ProxyVM but it also didn't work) without success.
> 
> Any help is welcome, here below the logs.
> I also tried
> 
> $ sudo modprobe nf_conntrack_pptp
> 
> without success.
> 
> I'm using the fedora template.
> 
> Plugin /usr/lib64/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
> using channel 9
> Using interface ppp0
> Connect: ppp0 <--> /dev/pts/1
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> sent [LCP ConfReq id=0x1]
> LCP: timeout sending Config-Requests
> Connection terminated.
> Modem hangup
> Script /sbin/pptp 91.233.116.223 --nolaunchpppd --loglevel 2 --logstring 
> nm-pptp-service-5272 finished (pid 5281), status = 0x0
> 
My guess is that you are blocking the connection from the VPN
server.
PPTP requires you to allow inbound GRE traffic.
If your server is at X.X.X.X, and the VPN client is attached to sys-net
then you want something like this on sys-net:

modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
iptables -I FORWARD -p 47 -s X.X.X.X -J ACCEPT

See if that helps.

u

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160814231404.GA4457%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

2016-08-14 Thread Nicklaus McClendon 
On 08/14/2016 05:22 PM, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd share.
> 
> If you're a Signal user on Android, you can now have Signal inside
> Qubes. Here's how I did it:
> 
> 1. Install the Chromium browser in your appvm template - skip if you
> were already using it. Shut down the template VM.
> 2. Create a new AppVM called Signal
> 3. Launch Chromium browser in new VM, go to chrome://extensions/ in the
> address bar and follow the link to the Chrome app store.
> 4. In the app store, search for "Signal private messenger" and install
> the app.
> 5. The app launches automatically on first install. Follow the prompts
> to "link" this app with your phone.
> 6. At this stage Signal should work on your Qubes system.
> 
> Let's make Signal a bit more usable by creating a shortcut in our
> desktop panel that launches Signal directly. (this assumes KDE desktop
> on Dom0)
> 
> 7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal
> -> Signal: Add more shortcuts... -> Select "Chromium web browser")
> 8. Follow
> http://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer-
> to create a desktop shortcut
> 9. Right-click on Chromium icon in panel, select "Icon Settings"
> 10. Change the "Command" field of the "Application" tab to: qvm-run -a
> --tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh
> --profile-directory=Default --app-id=(long string which you'll get from
> the properties of the desktop shortcut you created in step #7)'
> 11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used
> the following command to copy the icon file to Dom0: [user@dom0]$
> qvm-run --pass-io Signal 'cat
> /home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png'
>> /home/users/signal-icon.png
> 12. Now you can change your new shortcut's icon from Chrome to Signal,
> by pointing it to /home/users/signal-icon.png
> 
> If anyone has a better way of creating a custom panel shortcut I'd love
> to hear it.
> 
> Cheers,
> 
> Alex
This is a really neat idea and guide, thanks for sharing it! It might be
better to work with the way Qubes' handles the shortcuts internally.
That documentation can be found here.
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1

If you dig through the GetAppMenus RPC, you'll see it (generally put)
draws it source list from desktop files in /usr/share/applications. If
you put a Signal .desktop file in there, you should (I think, untested)
be able to simply use the GetAppMenus RPC.
-- 
kulinacs 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dbd0f71c-ee9b-002f-519c-449fce6a83fd%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] installing Signal on Qubes mini-HOWTO

2016-08-14 Thread IX4 Svs 
Just spent a few minutes to figure this out so I thought I'd share.

If you're a Signal user on Android, you can now have Signal inside Qubes.
Here's how I did it:

1. Install the Chromium browser in your appvm template - skip if you were
already using it. Shut down the template VM.
2. Create a new AppVM called Signal
3. Launch Chromium browser in new VM, go to chrome://extensions/ in the
address bar and follow the link to the Chrome app store.
4. In the app store, search for "Signal private messenger" and install the
app.
5. The app launches automatically on first install. Follow the prompts to
"link" this app with your phone.
6. At this stage Signal should work on your Qubes system.

Let's make Signal a bit more usable by creating a shortcut in our desktop
panel that launches Signal directly. (this assumes KDE desktop on Dom0)

7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal ->
Signal: Add more shortcuts... -> Select "Chromium web browser")
8. Follow
http://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer-
to create a desktop shortcut
9. Right-click on Chromium icon in panel, select "Icon Settings"
10. Change the "Command" field of the "Application" tab to: qvm-run -a
--tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh
--profile-directory=Default --app-id=(long string which you'll get from the
properties of the desktop shortcut you created in step #7)'
11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used the
following command to copy the icon file to Dom0: [user@dom0]$ qvm-run
--pass-io Signal 'cat
/home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png'
> /home/users/signal-icon.png
12. Now you can change your new shortcut's icon from Chrome to Signal, by
pointing it to /home/users/signal-icon.png

If anyone has a better way of creating a custom panel shortcut I'd love to
hear it.

Cheers,

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTfaS67HUkT%2BZdMswPYqay6ttfSOktr6XwxxfnNytrbCRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VPN ProxyVM rc.local

2016-08-14 Thread Paf LeGeek 
Hello !

I am trying to follow the steps in the link below to make a ProxyVpn with VPN 
autostart :
https://www.qubes-os.org/doc/vpn/

But my rc.local does not start on my ProxyVM.

I did the commands below on my Debian 8 Template VM :

sudo chmod +x /etc/rc.local
systemctl disable openvpn.service

The rc.local service is enable.

This is the result of ls -l :
user@debian-8-vpn:~$ ls -l /etc/rc.local
-rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local


If I start the rc.local with sudo sh /etc/rc.local using the terminal on my 
ProxyVM, it's working.

So, why my rc.local does not start automatically on my ProxyVM ?

Thanks for your help.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ee0c3de-45e6-460f-aeb0-bfb72300ca74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thinkpwn?

2016-08-14 Thread eliwu 
Just to clarify, that means that even if the UEFI is exploited, it does not 
matter with Qubes?  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c5bacf8-8d1e-411a-8d2e-01f907b839d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes-hcl-report Lenovo T540p

2016-08-14 Thread York Keyser 

Hi list,

I'm happy I now finally installed Qubes-OS on my notebook. Because of 
some issue with HDPI I installed the 3.2-rc2 and can tell everything 
work out of the box. Nice work Qubes-OS Team ;)


The only thing I miss are the shortcuts from my Lenovo notebook like MIC 
on/off, maybe somebody have an idea about this.


Regards York

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d6e97cec-76b4-7a18-1fba-26798af8c4a5%40cryptea.net.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20BE00B8GE-20160814-185401.cpio.gz
Description: application/gzip


Qubes-HCL-LENOVO-20BE00B8GE-20160814-185401.yml
Description: application/yaml

Re: [qubes-users] What exactly is stored in an App VM backup..?

2016-08-14 Thread neilhardley 
OK, that's really nice to know that startup scripts are not saved.

Really nice.

The thing about having to shut down the VM is still annoying though.

The other thing is, the progress bar for Qubes backups is very bad.. It stays 
at 0% for a long time, and then hours later, gets to 100%... There is not the 
kind of progressive movement that lets you know how long this is going to take.

Apart from that though.. at least it's secure. That's the main thing I care 
about.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/797de76c-76ee-44fb-8917-6a29ce3652a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] What exactly is stored in an App VM backup..?

2016-08-14 Thread Alex 
On 08/14/2016 03:37 PM, neilhard...@gmail.com wrote:
> But presumably this private.img is going to include things like:
> 
> folder: /etc/init.d/
> 
> file: /etc/rc.local
> 
> things like this, which are used to do start-up scripts.
> 
No, it does not. Only root.img for templateVMs include such things;
please refer to https://www.qubes-os.org/doc/template-implementation/
for more information on the overlayFS structure of block devices.


> So anyone who hacked the VM might place some start-up scripts which
> link to malware stored on the machine.
These changes are not persisted, because they are not saved in the
private.img file, if they are made on an appvm.

> This is why I thought it would be better to use an internal Fedora
> system to do the backup.
> 
> Doing this would also prevent you from having to shut down your VM in
> order to do the backup, which is a drain on productivity.
You can use the backup system you like, or even a superposition of many.
I myself use a staggered-and-timed syncthing mirror for quick recovery
of user mistakes (everything is copied and kept 90 days, and 3 copies of
every files are staggered, so accidental edits or deletions can be
recovered if not too much time ago) and also the qubes backup system for
disaster recovery. I like to protect against those two scenarios, and no
tool covers both efficiently, so I use both.

Me and a friend were thinking of preparing a duplicity-based appVM with
beefy scripts which would be able to backup all the other appVMs and
save a local USB hard drive or a remote, encrypted cloud storage (both
standard functionality of duplicity), but eventually abandoned the
project for lack of free time. That would have allowed for a centralized
configuration and schedule point, while keeping the isolation Qubes
provides. That could even be used, with some caveats (first and
foremost, program data should be in a consistent state), with live AppVMs.

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/24135208-6e86-9073-e295-d5648e8f54e1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] What exactly is stored in an App VM backup..?

2016-08-14 Thread neilhardley 
But presumably this private.img is going to include things like:

folder: /etc/init.d/

file: /etc/rc.local

things like this, which are used to do start-up scripts.

So anyone who hacked the VM might place some start-up scripts which link to 
malware stored on the machine.

So these are going to be backed up by the Qubes backup system.

This is why I thought it would be better to use an internal Fedora system to do 
the backup.

Doing this would also prevent you from having to shut down your VM in order to 
do the backup, which is a drain on productivity.

---

Or am I wrong here..? Would this somehow not back up any start-up scripts...?

Because that's what I'm worried about.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c45479a8-c541-47cc-a427-34d8d3379e3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] What exactly is stored in an App VM backup..?

2016-08-14 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-14 05:56, neilhard...@gmail.com wrote:
> I want to know.. what exactly is stored in an App VM backup..?
> 
> When you back it up, and you have your single backup file, what is in that 
> file?
> 
> Obviously, your personal files, like folder structure, Documents,
> Downloads, Music etc.
> 
> But how about programs..? Are programs stored in there, or are they only 
> stored in the template VM..?
> 
> How about things like startup scripts, for example, a startup script that
> may load up a virus..? Or are those just in the template VM..?
> 
> I say this in terms of security... as to whether it is safe to back up an
> App VM... or whether it's safer to back up the files from within the App VM
> using some sort of Fedora tool...
> 
> Thanks
> 

No programs, just the AppVM's private.img file along with things like
firewall.xml. You can explore the contents for yourself by following the
instructions here:

https://www.qubes-os.org/doc/backup-emergency-restore-v3/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsG9AAAoJENtN07w5UDAwm9AP/A5337EdKJgC/nU0Smv1QJu0
KJUx8bpcgkRDP7PNjuaDTZRDBTcvLv+6wqstgls5PemfFybV/GTCCH0gHHQfOlY6
QQum0jhJ3uWI/dlkhYSxAlWFM44rqMyxz1jDZ/seKFd91VY6SSnu02mgG+jZqDDa
vtfremssHveka9/7hRQEuisJV4Z2ug5BGAR2J0BD01lorQhe4Uxz5/YIum16krKY
tBFU/zBwbpIu6U7c+TNl2WHYAI7mWZDs3UnQqDN0WmYnmJnghzAgRBGvhCBVgeTn
iKnCZiKt+xw5ATlwsXyqADtISq1oWmknXbWEkLQsxlIeysS67NjYVOWJQrSL+pxf
FrQIK3bkxDGVEyCWrNhArkiuYBJPFShXa/JvOQOFTFK4PxbYHuB2kOGOBcDs0THj
EUKS0E1Hm6eqMEwGWsMWhaHxiw3Lnr6GOrpcCdmbdqUqnywJi+4m2MhPCn/+I7wZ
ryGpT4l0o6Q8l5rkxA//0ksq1ey3J/5o6DUhmH6yTYpvX8fUdZQk46Z28nxv9yV4
oqQSwhdtpn+VaCwNtBW3hDCsh/bNEZr3+wlPiBOh0eG0jVtgWjVazEy6dfCrw9vu
wg1XAaj6PnujjvVGZRFh/VgoqL0G5KQsV3LENCcYnGOucXF7sfrVJBJTRlSuav3/
lQyDEB1HxA8sjEtdSHet
=wSdb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/69e9ebd3-7567-82d6-6511-5feb67f17c77%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What exactly is stored in an App VM backup..?

2016-08-14 Thread neilhardley 
I want to know.. what exactly is stored in an App VM backup..?

When you back it up, and you have your single backup file, what is in that file?

Obviously, your personal files, like folder structure, Documents, Downloads, 
Music etc.

But how about programs..? Are programs stored in there, or are they only stored 
in the template VM..?

How about things like startup scripts, for example, a startup script that may 
load up a virus..? Or are those just in the template VM..?

I say this in terms of security... as to whether it is safe to back up an App 
VM... or whether it's safer to back up the files from within the App VM using 
some sort of Fedora tool...

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2cf22885-9220-41e2-9a4a-5b6d529cf43e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.

2016-08-14 Thread lol lol 
Hi, again. Here you are full log attachment from normal user without sudo. It 
doesn't work too.


http://pastebin.com/GQTN8zYx


>^
> This is the problem.
> You should call it from normal user, it will use sudo for those (few)
> things that require root. Now you probably have files ownership screwed
> up... The easiest way to fix is to remove and start again.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7881f80c-06b8-4400-aca1-cb2abd95bbc4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Assigning Drivers Help

2016-08-14 Thread David Vorick 
Thanks, I appreciate the answer. You are right, it's more involved than I
had realized and more involved than I'm willing to put up with. We've also
got Nvidia cards, which don't seem to be working at all.

I am disappointed, but I know how this goes. I hope the support is there at
some point in the future, but in the meantime thanks for the Qubes that
exists so far. I'm really excited about the tech and will at least be using
it on my workstation.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAFVRnypGObkkko_zyopaif3%3D%2BqCLO6tdYX8a0fM8v7piYp_Hbw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.

2016-08-14 Thread lol lol 
File attached. Here is full log.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e7098ca1-7506-42db-8e87-f67a14895aa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


test
Description: Binary data

Re: [qubes-users] Manual https://www.qubes-os.org/doc/templates/archlinux/ does not work.

2016-08-14 Thread lol lol 
Hi, Marek. Here installation from normal user. Full log attachment.


> This is the problem.
> You should call it from normal user, it will use sudo for those (few)


=

[user@arch-test ~]$ uname -a
Linux arch-test 4.1.24-10.pvops.qubes.x86_64 #1 SMP Fri Jul 22 10:23:50 UTC 
2016 x86_64 x86_64 x86_64 GNU/Linux
[user@arch-test ~]$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
[user@arch-test ~]$ sudo dnf install git createrepo rpm-build make wget 
rpmdevtools python-sh dialog rpm-sign
Last metadata expiration check: 0:01:00 ago on Sun Aug 14 14:38:44 2016.
Package git-2.5.5-1.fc23.x86_64 is already installed, skipping.
Package createrepo-0.10.3-3.fc21.noarch is already installed, skipping.
Package make-1:4.0-5.1.fc23.x86_64 is already installed, skipping.
Package wget-1.18-1.fc23.x86_64 is already installed, skipping.
Dependencies resolved.

 PackageArch   VersionRepository
   Size

Installing:
 binutils   x86_64 2.25-17.fc23   updates 5.6 M
 dialog x86_64 1.3-4.20160424.fc23updates 226 k
 dwzx86_64 0.12-1.fc23fedora  106 k
 ghc-srpm-macrosnoarch 1.4.2-2.fc23   fedora  8.2 k
 gnat-srpm-macros   noarch 2-1.fc23   fedora  8.4 k
 go-srpm-macros noarch 2-3.fc23   fedora  8.0 k
 ocaml-srpm-macros  noarch 2-3.fc23   fedora  8.1 k
 patch  x86_64 2.7.5-2.fc23   fedora  123 k
 perl-generatorsnoarch 1.06-2.fc23updates  15 k
 perl-srpm-macros   noarch 1-17.fc23  fedora  9.7 k
 python-sh  noarch 1.11-1.fc23updates  49 k
 python-srpm-macros noarch 3-7.fc23   updates 8.1 k
 redhat-rpm-config  noarch 36-1.fc23.1updates  59 k
 rpm-build  x86_64 4.13.0-0.rc1.13.fc23   updates 137 k
 rpm-sign   x86_64 4.13.0-0.rc1.13.fc23   updates  55 k
 rpmdevtoolsnoarch 8.9-1.fc23 updates 105 k
 xemacs-filesystem  noarch 21.5.34-14.20160603hga561e02bb626.fc23 updates  21 k

Transaction Summary

Install  17 Packages

Total download size: 6.5 M
Installed size: 25 M
Is this ok [y/N]: y
Downloading Packages:
(1/17): rpmdevtools-8.9-1.fc23.noarch.rpm   1.1 MB/s | 105 kB 00:00
(2/17): rpm-build-4.13.0-0.rc1.13.fc23.x86_64.r 1.2 MB/s | 137 kB 00:00
(3/17): patch-2.7.5-2.fc23.x86_64.rpm   1.0 MB/s | 123 kB 00:00
(4/17): python-sh-1.11-1.fc23.noarch.rpm649 kB/s |  49 kB 00:00
(5/17): rpm-sign-4.13.0-0.rc1.13.fc23.x86_64.rp 915 kB/s |  55 kB 00:00
(6/17): dialog-1.3-4.20160424.fc23.x86_64.rpm   2.3 MB/s | 226 kB 00:00
(7/17): xemacs-filesystem-21.5.34-14.20160603hg 250 kB/s |  21 kB 00:00
(8/17): perl-generators-1.06-2.fc23.noarch.rpm  345 kB/s |  15 kB 00:00
(9/17): redhat-rpm-config-36-1.fc23.1.noarch.rp 1.4 MB/s |  59 kB 00:00
(10/17): dwz-0.12-1.fc23.x86_64.rpm 1.6 MB/s | 106 kB 00:00
(11/17): ghc-srpm-macros-1.4.2-2.fc23.noarch.rp 327 kB/s | 8.2 kB 00:00
(12/17): gnat-srpm-macros-2-1.fc23.noarch.rpm   1.0 MB/s | 8.4 kB 00:00
(13/17): ocaml-srpm-macros-2-3.fc23.noarch.rpm  786 kB/s | 8.1 kB 00:00
(14/17): go-srpm-macros-2-3.fc23.noarch.rpm 422 kB/s | 8.0 kB 00:00
(15/17): python-srpm-macros-3-7.fc23.noarch.rpm 390 kB/s | 8.1 kB 00:00
(16/17): perl-srpm-macros-1-17.fc23.noarch.rpm  424 kB/s | 9.7 kB 00:00
(17/17): binutils-2.25-17.fc23.x86_64.rpm   7.6 MB/s | 5.6 MB 00:00

Total   1.6 MB/s | 6.5 MB 00:04 
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : python-srpm-macros-3-7.fc23.noarch 1/17 
  Installing  : perl-srpm-macros-1-17.fc23.noarch  2/17 
  Installing  : ocaml-srpm-macros-2-3.fc23.noarch  3/17 
  Installing  : go-srpm-macros-2-3.fc23.noarch 4/17 
  Installing  : gnat-srpm-macros-2-1.fc23.noarch   5/17 
  Installing  : ghc-srpm-macros-1.4.2-2.fc23.noarch

Re: [qubes-users] Customizing DisposableVM Menu

2016-08-14 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-13 20:53, Daniel Franke wrote:
> /13/16, Andrew David Wong  wrote:
>> Which Qubes release and desktop environment are you using?
> 
> I'm on 3.2-rc2 under Xfce.
> 

Ok, well, the process should be similar. It's really more of an Xfce issue
than a Qubes issue, so you may want to have a look at their documentation or
just play around with it.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsB+6AAoJENtN07w5UDAw0B4P/3NTYnghkLNOlOiE/kCL5t7P
JzdtvhYILMQ3Hf9x4c/mbkDDSKA8FjoV9X0kg3gvMHVytV9ekcNBsJX/xU1cRKha
VWIjYTGKfX9JgVedGPYHvlWoSZEG07WPHceE4NJJ7AGBt1DrA0zLs+rsSEL8d2rb
+TeqOyTwsyosFTDjYe1+/RODozogzYJPHgdsk6EfQfQ9mAjoFeUHGnALHzlF2TFt
Myp4AHhqa48t7wmTHUadqQEmbQlJwVZKwbOVRJwTW1E8ZiVc2nQBtM1XMs+NKNbE
e/GxPo9rP3JSEXsEylk+2qvrPBMVwo0h5navvENTyA926XS4qcc1pngboA4H/H6n
FmeZZ/3i9RIviFbRAM8alfh1Vfz+5KjY0ijZN0+rLP7uVGrqAdIYeMs7raegZNZb
uVquLkob4yOAVmuTmaK3cGGQ1dFwXxcZFfuojZ4kmzc/2N2cky6TitihaqWRqu7w
/KpAc8UlhKWpF4J0rugInskosffJRLFSLQoD3WyZoppDU5u3RkY3EHcqSESGFk+D
AXSUwsc5EAjMtiYUpflXdQ88KZAr7FmVG/5hrkIvSTzuzSfqczn6dlaqb2fGklWB
Ew0SFqOtU6O3xLNMWwd7cN3Djh083a/g3C9YYnJdSbsw1qY1kgH+ryoqTa+T9kZ4
Jy+AjSiUt8N9trhEXcPE
=VVcM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dfe60f30-1240-1d7a-5751-cc387999b8a8%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.