Re: [qubes-users] Re: Incremental / continuous backups?

[Loren Rogers]

On 11/16/2016 06:02 PM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 16, 2016 at 01:35:53PM -0800, pixel fairy wrote:

On Wednesday, November 16, 2016 at 2:12:37 PM UTC-5, Loren Rogers wrote:

What's a good approach for regular backups?

Does Qubes have a simple way of automatically saving VM snapshots? And,
is there a way to do this incrementally? I assume not, since the
encryption would block it?

you can encrypt the volume and put snapshots on that. maybe the future of 
qubes-backup?

till then i use a script from dom0,
qvm-run backupkeeper "rm -rf QubesIncoming/*"
for i in `cat backuplist`;do qvm-run $i "qvm-copy-to-vm backupkeeper .";done

then rdiff-backup QubesIncoming /run/media/user/.../backups/rdiff

this way, the same drive can also keep appvm snapshots.
backupkeeper is just an appvm with no network access and a lot of space. the 
usb disks are setup with cryptsetup, ext4 and a backups folder owned by user. 
the first line is to get rid of old backups. qvm-copy-to-vm wont let you 
overwrite.

its no TimeMachine, and deleting and copying entire folders is inefficient. but 
does the job and easy to recover on any linux system.

would be nice to be able to initiate the file copy from dom0 and auto allow it. 
then it could run in the background.

Actually you can "auto allow it". Simply click "Yes to all" during one
backup run - it will add appropriate rule to policy to allow the same
operation (same source and target VM) in the future without asking.

- -- 
Best Regards,

Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLOWUAAoJENuP0xzK19cs3UAH/3CcPVZy9fTSCCI8r/8yR4i5
bx4Y6HDuNQeF3gYp18rsCKAc9U+iBZXMata+lHzN0htIRV3Uncv0orEdhlM7SBT/
0d1mB5DN93hZid+H1MtHD6UmwL3mFhkcFo14kYcEYkQO72whBwMzSXIVd5g5iLmg
m04+RGXt8fhEe1DoL0RcZj/Kcu3R4UxhJR0ODRl96K8n6bUEgfq8Y0SybmUqT9lz
lx2SL1TTUVmNC8ZiMCMni8ckm84vxrPe3u3gCW6KzzO4IlEZG9ON4MCvXnSin/BK
hL/IB2Jy/RkjU1MRa8uqKMCnxzTg3ueMKfqPCoJzTgGSTzZ/ZRzhNRJZOTiHuCw=
=MNuy
-END PGP SIGNATURE-


Very interesting - I'll look into these as options. Out of curiosity, 
would it be possible to post your script to Gist? (To be sure I don't 
miss something.) I'd like to explore this in more detail, and it would 
be really helpful to see a working example.


In the past, I've had great success with this rsync backup script:
https://github.com/eaut/rsync-time-backup

What would be the costs/benefits of using VM snapshots instead of rsync? 
Would it even be possible to run an rsync script like the one above in 
dom0 that reached into the VMs? (I'm still learning the ins and outs of 
Qubes.)


Loren

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aaae9069-c55a-1b8b-6564-acdfcbdd8a86%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Kapersky OS?

[Sandy Harris]

Put this in a VM?
https://fossbytes.com/kaspersky-os-hackproof-microkernel/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACXcFmmoefbwANTn6gVYLXxZb93RbXyP0X-4oo%2Bawz8%3DGrJt%2BA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] sparse fedora template

[Eva Star]

Hello,

is it possible to sparse fedora template like Windows template? How to 
fill it with nulls before cleaning?


I have this question because fedora-24 template 1 gb bigger after same 
programs installed, then fedora-23.



--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f69a8cc-8edb-e457-bcef-4ac1d1ec5156%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Asus ROG GL752VW-GS71-HID6 Install

[Ronald Duncan]

On Friday, 18 November 2016 20:25:41 UTC, Ronald Duncan  wrote:
> > reboot - hung at end of Q screen
> Starting Switch Boot
> Error: Driver 'processor_agregator' is already registered, aborting
> Error: Driver 'processor_agregator' is already registered, aborting
> A start job is running for Qubes NetVM startup  (2m 49s /no limit NMI 
> watchdog:Bug soft lockup - CPU1 stuck for 22s! [libvirtd:2306]
> 
> This error repeats a number of times whilst I typed the above :)
> 
> with the occasional
> 1-:(6 ticks this GP) idle=0ef/1400..lots..01/0 softirq-1076/1076 
> fqs=0
> (t=6 jiffies g=2600 c=25999 q=0)
> 
> These two lines are consistant, the part that changes is the number of ticks 
> that increases :)
> 
Eventually the screen gets corrupted with random chars
R

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20e1ee61-b562-44d6-bb67-b101de713bb8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Asus ROG GL752VW-GS71-HID6 Install

[Ronald Duncan]

> reboot - hung at end of Q screen
Starting Switch Boot
Error: Driver 'processor_agregator' is already registered, aborting
Error: Driver 'processor_agregator' is already registered, aborting
A start job is running for Qubes NetVM startup  (2m 49s /no limit NMI 
watchdog:Bug soft lockup - CPU1 stuck for 22s! [libvirtd:2306]

This error repeats a number of times whilst I typed the above :)

with the occasional
1-:(6 ticks this GP) idle=0ef/1400..lots..01/0 softirq-1076/1076 
fqs=0
(t=6 jiffies g=2600 c=25999 q=0)

These two lines are consistant, the part that changes is the number of ticks 
that increases :)

R

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80d45679-d086-4969-abae-6e15cf87d434%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Asus ROG GL752VW-GS71-HID6 Install

[Ronald Duncan]

On Friday, 18 November 2016 19:44:09 UTC, Ronald Duncan  wrote:

> 
> Suggestions on how to turn off the Q screen and see what is happening behind 
> the progress bar, and any logs that would be helpful.

Qubes start up Hit F10 for boot time diagnostics

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81627728-e34d-4ade-b4e2-f50825985839%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Asus ROG GL752VW-GS71-HID6 Install

[ronald . boris . duncan]

Hi I am trying to install on the following machine.

Asus ROG GL752VW-GS71-HID6 Metal Grey 17.3" i7-6700HQ 2.6-3.5GHz Windows 10 
(960M 4G/256G SSD+1T HDD/32GB RAM/DVDRW) 

Windows and xubuntu run fine. (just run xubuntu 15.10 off a usb so far)

I dd'ed the Qubes-R3.2-x86_64.iso to a usb and then ran the install.

Needed secure boot turned off in bios (ESC) key to get in.

I installed on to the hard drive rather than the ssd, since it was empty and I 
was testing the install.

I did not ecrypt the install so I can modify it from ubuntu.

The install was nice apart from not recognising the touchpad (got caught in a 
help screen and had to connect a mouse to escape).

On reboot it does not boot.

The Q graphic screen is shown.

then it hangs (the cpu fan was going full blast)

Sorry did not write down the error message (something about cpu timming???)

Tried rebooting into xubuntu from USB, and I could see all the files in the 
qubes install.

Rebooted, and qubes went on to the next stage of the install??!!

-create default system qubes etc etc

Got a Dom0 error

/usr/sbin/service , qubest-netvm start failed
sterr Redirect to /bin/systemctl start qubes-return.service
Job for qubes-return.service failed because the control process exited with 
error code See "systemctl status qubest-return.service" and "journalctl -ve" 
for details

hit  ok, showed qubes as ok, but went back in to look and had to wait whilst it 
went through the set up process again and came up with the same error.

Then finished install and rebooted

Came up fine, was trying to figure out how to get network to work. Decided to 
try a reboot.

Reboot - hung at end of Q screen
power down
Reboot - hung at end of Q screen
power down
boot into windows OK
reboot - hung at end of Q screen

Suggestions on how to turn off the Q screen and see what is happening behind 
the progress bar, and any logs that would be helpful.

Thanks 
Ronald

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0a7fe64-e196-460d-baf5-290e484820b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] disable split-gpg notifications?

[Michael Carbone]

Marek Marczykowski-Górecki:
> On Fri, Nov 18, 2016 at 02:49:00PM +, Michael Carbone wrote:
>> Is there an easy way to disable split-gpg notifications? They are just
>> screen noise, and in XFCE cover the time and systray by default.
> 
> The easy (hacky) way is to comment out notify-send in
> /etc/qubes-rpc/qubes.Gpg.

thanks.

>> From a security perspective without timestamps in the access logs
>> (https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
>> pre-approved email client could just decrypt emails in mass when the
>> user is AFK to avoid notifying the user, so I see little security benefit.
> 
> That's true indeed. I wonder if blocking split-gpg while screenlocker is
> engaged would make sense? Currently similar purpose have confirmation
> with a 5min timeout.

I think that's an excellent idea.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e391c797-5076-2955-77a1-597ebf302b9e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2, xfce, resume and changing resolution issues

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Nov 18, 2016 at 03:52:25PM +0100, yaqu wrote:
> On Sun, 13 Nov 2016 22:23:08 +0100, Marek Marczykowski-Górecki
>  wrote:
> 
> > > Thanks, executing qubes-monitor-layout-notify works as a workaround
> > > - it is much cleaner solution than hack with switching displays off
> > > and on :)
> > 
> > Actually this tool is called automatically when monitor layout is
> > changed (see watch-screen-layout-changes process). The problem is a
> > race condition - it is called before new configuration is actually
> > applied, so it sends the old configuration again... I haven't found
> > yet any way to receive notification _after_ new configuration is
> > applied. Any idea?
> 
> Monitoring relevant X Window events with xev in dom0:
> 
> $ xev -root -event randr -event structure
> 
> and changing display settings, shows that after increasing resolution
> XRROutputChangeNotifyEvent is not sent (only RRScreenChangeNotify,
> XRRCrtcChangeNotifyEvent and ConfigureNotify), at least on my machine
> (R3.2, Intel gfx and Xfce).
> 
> Watch-screen-layout-changes monitors only OutputChange events, and
> that's why it doesn't detect change and doesn't execute
> qubes-monitor-layout-notify.
> 
> I think it would be better to monitor RRScreenChangeNotify event, as it
> is always sent after changing display settings and it's supported in any
> randr version (no need to use ConfigureNotify).
> 
> I have prepared a fix and a pull request.

Thanks, this indeed looks like a good idea.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLzxCAAoJENuP0xzK19csvK8H/ig2+Sx0ZQlVlSMrNuJmHD2y
faZF4PcIRBjmqLgKCtXqH5vAR6HLTqjdiCepGtF83KOGhujTpSv0EMPfIOlMg6cp
FYL52oOe2e4iKZLjBo3nk6KwjmWVChvyCp96xIUVpCAeGn6yoxFmfluzRrNDrLvf
syBA17JQlFzEn7KMq7O95VVv4vi+rMcstNpw+ChzZGT/M7xrQPNrAcwVgghrt3XH
7XpmpSwiqpnZNWwjA2BLVNgz+gLF63MNkrdpJoMjEuXp949HlXN4Q5ch3oBE1tAz
eJq5wef0xTtSGNS5GO9Zv5JYwT16RqANk3Ln19pzliPpX2VbJSdjR4XJoxLyteA=
=FB2U
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161118173706.GT1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] disable split-gpg notifications?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Nov 18, 2016 at 02:49:00PM +, Michael Carbone wrote:
> Is there an easy way to disable split-gpg notifications? They are just
> screen noise, and in XFCE cover the time and systray by default.

The easy (hacky) way is to comment out notify-send in
/etc/qubes-rpc/qubes.Gpg.

> From a security perspective without timestamps in the access logs
> (https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
> pre-approved email client could just decrypt emails in mass when the
> user is AFK to avoid notifying the user, so I see little security benefit.

That's true indeed. I wonder if blocking split-gpg while screenlocker is
engaged would make sense? Currently similar purpose have confirmation
with a 5min timeout.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLzuoAAoJENuP0xzK19csxtEH/2/tojTCpyLpLtukFvBmYIJb
zuKxQcKIXU7Iy7EHYR/VlvBApUT3IXhm5zIJw1pNBGOhCoLR2PNuX1B3Gpf3kV6U
grXzgWx84YI/FzOnAHEWoSly5393z3nh9zzygsRBjBEJCvBNU4WnIACyf+pA+j9D
QONA2655qhcoTveii2oAyQAsgARg080tcz1W5XG9ziBpOLGghfRkFkaTc7UW3WP/
Fhk0nK6+IsmvHRFSukilKcDhfI+7DZWTrUb6ZKsSogOka3ZqhWgjFXuxkLyosBMi
k3BZhZs+xDb6ApY40w/mBdNt+Iu9pjt/EugWh7CInmTPTvI1srBA/B72v2AG6+Q=
=sV3q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161118173432.GS1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: selfsecure systems - redunancy?

[Vít Šesták]

For encryption:

* You have inherently a problem with random numbers. Virtually anything 
nontrivial here needs a source of random numbers. You need not only both 
independent systems to use the same source of random numbers, but also to use 
them in the same way. This is possible, but not easy. I also would not call 
such implementations „totally independent“.
* Also configuration of both systems would have to be somewhat aligned.
* It could work then. It could detect a logic flaw or a bug like heartbleed. It 
cannot fix crypto design issue and cannot prevent data leaking through remote 
code execution (RCE).

For backdoored systems and RCE: I've already mentioned that in case of remote 
code execution or backdoor, you can't prevent data leak without fixing all 
relevant covert channels, which is far from being easy. Moreover, the design of 
redundant systems introduces an inherent covert channel: The information if 
computation succeeded (all systems returned the same value) or failed (there 
are two systems that returned a different value) is a 1bit information that the 
malicious system can leak (provided that all other systems return the same 
value). Having redundant systems makes the situation even worse in some ways – 
data can leak provided that *at least one system* leaks them through a covert 
channel. Now, the set of people you trust is larger, not sure.

Comparison with flight control: I don't think they do this in order to defeat 
backdoors or attacks. They rather want to detect (and remedy from) accidental 
failures. No matter how much those goals might look similar, they are in many 
ways different.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78696673-9f81-4dcc-909d-1114c5a52f1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] isolated workflows - image converter - trusted jpg

['0193284'0918432'0918432'091804329]

Hello Chris,

here is a hint:

https://groups.google.com/forum/#!topic/qubes-users/Z7yx7li_SJo

The qvm-convert-pdf command does only one file at a time, so you would have use 
a complex command like this:

for p in *.pdf; do qvm-convert-pdf "$p"; done

DispVM > Downloads > PDF-File > right Mouse - Context Menue > Scripts... 
perhaps you can enhance here the reachable scripts?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/507bdd99-138d-4d1e-a57a-62bf51306b27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: selfsecure systems - redunancy?

['019384'0193284'0912834'09832'104]

Hello,

Redundancy Management Technique for Space Shuttle Computers:

The calculation of the  same  outputs by each critical computer  and  the  
synchronization of inputs are used to provide  the  means of achieving  total  
failure coverage of flight-critical functions for a small computational 
resource  and  hardware  cost.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.136.9216&rep=rep1&type=pdf

Why, the mission-critical functions of any avionic calculation, might be in 
practice so much different from a mission critical encryption - might not help 
to overcome all this human-factor-errors of buggy code?

Kind Regards


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7676a60e-2a87-49d0-98a5-9c4fd5778ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: selfsecure systems - redunancy?

['0918'3049182'304918'029348'019243]

Hello,

Here are also quite a bunch of self-healing engineering, if you like to setup a 
self-secure system...

p24

http://cui.unige.ch/~dimarzo/papers/JAMT.pdf

Other call it reconciliation in the IT, if you check up to techs against each 
other.

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0942ea50-6db6-4435-ae45-026d2cc3c351%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: selfsecure systems - redunancy?

['1093784'091384'091832'04918'03249819438]

Hello Jean-Philippe Ouellet,

yes you are right, if more that 50% are corrupt and well coordinated - you get 
locked down via this "insider-threats".

But if you use really independent teams and perhaps you have some cover-agents 
running around, as long they are not coordinated or not the majority of the 
parallel independent channels to process, you will be able to make a simple 
black-box checking.

In my opinion, this can even help exactly for the trusted BIOS-boot-chain. If 4 
independent teams come to the same conclusion, even if you need again and again 
many changes and new updates due to better hardware support - if they make a 
clean job, all will finish in the same result.

This fight-system as had no overruling at all in its lifetime, so the 
reliability or up time was pretty high, compared to other IT-solutions.

Also in the maintenance you can calculate, how you can increase the up time in 
critical systems with redundancy.

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2d5d108-2c5c-4901-8eab-d0b8258c3651%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

[Chris Laprise]

On 11/18/2016 02:03 AM, entr0py wrote:

Andrew:


I think not without modifying the Qubes RPC code itself, which is
probably a non-starter.  Anyway you would be relying on untrusted
self-reported information in the trusted Dom0 prompt, so maybe not a
good idea.

If you just want to investigate, this should be logged on the VM itself,
anyway, no?  Maybe I'm wrong.  Look through journalctl and see.

Andrew


Andrew, thanks for the pointers.

Chris resolved before I even looked:

https://forums.whonix.org/t/fixing-whonix-boot-issue-after-securing-qubes-root-auth/3155
https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-261407737


I ended up having one remaining prompt during sys-whonix VM startup 
(based on whonix-gw template).


So the full resolution of the issue involves creating a file 
'/etc/sudoers.d/zz99' in the whonix templates and adding *both* of these 
lines:


ALL ALL=NOPASSWD: /usr/sbin/virt-what
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck *


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d99a7fa6-de76-3676-1539-70e2a5431c73%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2, xfce, resume and changing resolution issues

[yaqu]

On Sun, 13 Nov 2016 22:23:08 +0100, Marek Marczykowski-Górecki
 wrote:

> > Thanks, executing qubes-monitor-layout-notify works as a workaround
> > - it is much cleaner solution than hack with switching displays off
> > and on :)
> 
> Actually this tool is called automatically when monitor layout is
> changed (see watch-screen-layout-changes process). The problem is a
> race condition - it is called before new configuration is actually
> applied, so it sends the old configuration again... I haven't found
> yet any way to receive notification _after_ new configuration is
> applied. Any idea?

Monitoring relevant X Window events with xev in dom0:

$ xev -root -event randr -event structure

and changing display settings, shows that after increasing resolution
XRROutputChangeNotifyEvent is not sent (only RRScreenChangeNotify,
XRRCrtcChangeNotifyEvent and ConfigureNotify), at least on my machine
(R3.2, Intel gfx and Xfce).

Watch-screen-layout-changes monitors only OutputChange events, and
that's why it doesn't detect change and doesn't execute
qubes-monitor-layout-notify.

I think it would be better to monitor RRScreenChangeNotify event, as it
is always sent after changing display settings and it's supported in any
randr version (no need to use ConfigureNotify).

I have prepared a fix and a pull request.

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161118145240.E97CE2079C6%40mail.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] disable split-gpg notifications?

[Michael Carbone]

Is there an easy way to disable split-gpg notifications? They are just
screen noise, and in XFCE cover the time and systray by default.

>From a security perspective without timestamps in the access logs
(https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
pre-approved email client could just decrypt emails in mass when the
user is AFK to avoid notifying the user, so I see little security benefit.

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bb8d2ad3-732c-0cff-f6e1-1046959cb8c9%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fedora 24 minimal template can not be setup with salt

[qubes]

Hi,

I am planning to setup my templates with salt. I have done some 
preparation some time ago but not with the Fedora 24 templates I thought 
it was time to do it properly.


One of the issues is that the minimal template can not use salt by 
default afaik but needs the package "qubes-mgmt-salt" which needs to be 
installed manually.


When I try to do this on the Fedora 24 minimal template I get a conflict 
between the packages qubes-mgmt-salt-config and salt-minion. The 
conflicting files are /etc/salt and /etc/salt/minion.d. Is this known or 
is there a workaround for it besides forcing the installation?



In general it would be great if you would use salt to setup the 
templates, at least optionally, because then it is more transparent what 
is in them, you do not need more disk space on the dvd and users can 
easily customize them. This would also allow users to not backup the 
templates which in my case would save almost 10 GB.



The Fedora standard image has way to many packages and also has 
gstreamer-plugins-bad installed which provides atm a known remotely 
exploitable security hole, at least when Chromium is used.


Thx in advance


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ad9c434ef82f55c4324dfe9feee1006%40posteo.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Qubes network server

[Max]

> It's not clear to me what you are trying to achieve.  Can you describe
> it in English with examples?
> 
> 
> -- 
> Rudd-O
> http://rudd-o.com/

I am trying to ping a Debian PVM from a Windows HVM. This requirement is due to 
the fact that I am running a program in Windows that is not supported in Debian 
or Fedora yet it needs to be connected to my database in Debian.

When following the instructions for amending the iptables rules amendment here: 
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes, I 
found that this only worked for connecting from a PVM to a PVM i.e. Fedora to 
Debian but not from HVM to PVM i.e. Windows to Debian.

I wanted to confirm if this was possible and to understand what is required to 
get this working.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b2b24a3-2156-45a2-9b55-f28ee3ac53a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.