Re: [qubes-users] Re: Thoughts about installed software
On 10/13/2016 12:31 AM, Drew White wrote: > On Thursday, 13 October 2016 00:39:04 UTC+11, Manuel Amador (Rudd-O) wrote: >> On 10/12/2016 05:25 AM, Drew White wrote: >>> So what do those packages require as dependancies though? >>> The dependancies are also required for full integration. >>> Just saying, there is more than just "qubes-*" to be thinking about. >> Are you trolling me with this question? Installing those qubes* packages: >> >> * automatically shows you the dependencies on screen >> * automatically installs the dependencies >> >> The recursive dependency information is trivial to discover. > > Yes it does, but what else does it need that I have installed that it won't > tell me BECAUSE the things are ALREADY INSTALLED? Like I said, trivial to discover. Literally first answer on Google: https://stackoverflow.com/questions/16843928/is-there-any-way-to-retrieve-a-dependency-tree-from-yum # repoquery --requires --recursive --resolve Wow, such hard, many work. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/14625d5f-3168-efa6-993b-ba46b843ebc1%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Thoughts about installed software
On Thursday, 13 October 2016 00:39:04 UTC+11, Manuel Amador (Rudd-O) wrote: > On 10/12/2016 05:25 AM, Drew White wrote: > > > > So what do those packages require as dependancies though? > > The dependancies are also required for full integration. > > Just saying, there is more than just "qubes-*" to be thinking about. > > Are you trolling me with this question? Installing those qubes* packages: > > * automatically shows you the dependencies on screen > * automatically installs the dependencies > > The recursive dependency information is trivial to discover. Yes it does, but what else does it need that I have installed that it won't tell me BECAUSE the things are ALREADY INSTALLED? That's the rest of it... I want to know what it all is, not just what I don't have. Does that make sense now? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c9b79c20-d748-46d7-aca9-bb77a3a386cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Thoughts about installed software
On 10/12/2016 08:50 AM, Robert Mittendorf wrote: > Well, the discussion leaves the focus I intended it to have. > It is surely worth thinking about what a minimum templates needs to have. > Nevertheless I think Qubes is about "I know I can get exploited, so > just protect the other parts of the system". Afaik a normal Qubes > template has only the root user, so after an exploit the attacker is > root in that VM right? > > My thoughts are more about continuing the attack to other QubesVMs or > even other systems by means of installed Software like a VNC client. > >From a perspective of the current minimal template, the template needs: * NetworkManager * NetworkManager-wifi * network-manager-applet My manifest here says you must delete NetworkManager-config-connectivity-fedora. I don't remember what that package does. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/473ce3b5-994f-9087-0f0e-725544387a37%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Thoughts about installed software
https://www.qubes-os.org/doc/vm-sudo/ you can configure root account during instalaton process.If you want to have more secure apps then maybe use SElinux| Apparmor for additional security layer. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c0e1e1de-b3ac-490b-b326-9fe87fe718c4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Thoughts about installed software
Well, the discussion leaves the focus I intended it to have. It is surely worth thinking about what a minimum templates needs to have. Nevertheless I think Qubes is about "I know I can get exploited, so just protect the other parts of the system". Afaik a normal Qubes template has only the root user, so after an exploit the attacker is root in that VM right? My thoughts are more about continuing the attack to other QubesVMs or even other systems by means of installed Software like a VNC client. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/246d640e-fa12-6a6e-62fd-3c95f30caa63%40digitrace.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Thoughts about installed software
On Wednesday, 12 October 2016 11:30:27 UTC+11, Manuel Amador (Rudd-O) wrote: > On 10/12/2016 12:26 AM, Drew White wrote: > > Hi Robert, > > Do you think you could build a template that would be that which you would > > consider secure? > > > > Personally, I've been asking what packages are REQUIRED for full > > integration, and never gotten an answer that provides the information I > > request from anyone, not even the qubes devs. > > All the packages in the template that are named qubes-* are required for > full integration. Additionally, NetworkMAnager, NetworkManager-wifi and > NetworkManager*fedora are also required for NetVMs to operate correctly. So what do those packages require as dependancies though? The dependancies are also required for full integration. Just saying, there is more than just "qubes-*" to be thinking about. > The Fedora minimal template works fine as a very minimal base system. > Those NetworkManager packages are needed to use it as a sys-net template. The Fedora minimal template is FAR from minimal. It still contain a lot of things it shouldn't, and is missing vital things too. > > > > I'm not sure if they don't know, or just think that the information is > > there when it isn't, > > Of course they know. They build the templates. It's just that this > question is a low-priority question because this is something you could > have found out yourself. No, it's not a low-priority question, I was told that they didn't know. I can find the thread where they told me, if you want, or else you can search qubes-users for it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bba6c05c-7b20-4af1-a6ef-6f61a6278d38%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Thoughts about installed software
On 10/12/2016 12:26 AM, Drew White wrote: > Hi Robert, > Do you think you could build a template that would be that which you would > consider secure? > > Personally, I've been asking what packages are REQUIRED for full integration, > and never gotten an answer that provides the information I request from > anyone, not even the qubes devs. All the packages in the template that are named qubes-* are required for full integration. Additionally, NetworkMAnager, NetworkManager-wifi and NetworkManager*fedora are also required for NetVMs to operate correctly. The Fedora minimal template works fine as a very minimal base system. Those NetworkManager packages are needed to use it as a sys-net template. > > I'm not sure if they don't know, or just think that the information is there > when it isn't, Of course they know. They build the templates. It's just that this question is a low-priority question because this is something you could have found out yourself. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd02034d-c77a-634d-da39-74f9d5e688d3%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Thoughts about installed software
On Tuesday, 11 October 2016 20:30:54 UTC+11, Robert Mittendorf wrote: > Software that you don't need is a security risk as it imposes additional > attack surface - we all know that. > Besides exploits those tools might cause additional threat (e.G. RDP- > VNC-, SSH-Clients) > So you better do not install non-universal software* in a template VM. > *software that is not needed in every VM which is based on that template > > So where to put non-universal software? > > - user-space: allows malware to persist easily, because of persistent > write rights. And does not allow usage of standard repositories > - other (cloned) TemplateVM: You need to make sure that you keep all > templates up-to-date for security reasons, you need much more storage > space and cause more ssd aging > > So what about a multi-level template system. That way you can keep at > least most software up-to-date with a single update process. This would > need a delta-filesystem instead of the current image=directory approach > i think. I don't know whether Xen has such capabilities?! > > Robert Hi Robert, Do you think you could build a template that would be that which you would consider secure? Personally, I've been asking what packages are REQUIRED for full integration, and never gotten an answer that provides the information I request from anyone, not even the qubes devs. I'm not sure if they don't know, or just think that the information is there when it isn't, but if you are able to build a secure template, one that is based for Qubes and works properly and fully, then you should do it and give it to them to put into the template repo. I think it would be interesting if you could actually do it, rather than these insecure systemd templates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bde33624-fc46-4e37-a731-109a2b0be023%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.