Re: [qubes-users] First time user: initial issues and thoughts

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-04 06:35, sm8ax1 wrote:
> Hi,
> 
> I just installed Qubes yesterday and wanted to share my thoughts and
> some issues I ran into.
> 
> Table of Contents
> 1. Use Case / Thanks
> 2. Minor issues with manual partitioning and assigning mountpoints
> 3. First-boot dialog
> 4. NetworkManager applet didn't start the first time
> 5. Modifying /etc files in template-inherited VMs persistently
> 6. Screensaver blacks screen but doesn't turn off the backlight
> 7. sys-firewall uses much more RAM than it should have to
> 8. Encrypted /boot partition support
> 
> First, I want to thank the developers. I've used Xen with QEMU and GTK+
> on other Linuxes before, so I'm familiar with some of the concepts. I
> was trying to accomplish basically what Qubes did, but it was a real
> pain to manage, the actual security of the whole system was
> questionable, and even simple tasks like pasting text or transferring
> files were a pain. You guys did a great job with Qubes. It's the OS I've
> been waiting for.
> 

Welcome, and thank you for the thoughtful and organized feedback!

> I learned about it a long time ago, probably around the time it first
> came out, but I didn't think about trying it until it was featured on
> the Tor blog and I learned about some new features. (For anyone who's
> interested, I had a thoughtful, though theoretical, debate with another
> reader about the some of the design choices around Qubes:
> https://blog.torproject.org/blog/tor-heart-qubes-os#comment-229452)
> 
> The installation was pretty easy, but I ran into somewhat of an edge
> case that held me up a little. I did my partitioning manually, and kept
> the same GPT (and protective MBR) that was already installed.
> 
> BIOS Boot Partition (1007K) - out-of-alignment filesystemless partition
> that allows GRUB to embed itself
> EFI System Partition
> /boot partition
> encrypted main partition with LVM
>   root
>   swap
> 
> All good. Here's the issue. I thought I would "help" the installer by
> creating a BTRFS LV for the root filesystem. It showed up in the
> installer with a weird name like "btrfs.XXX" (where X is a digit that
> changed on each reboot), and it didn't have the logical volume name in
> the subtext like my swap LV did. I was typing "/" into the mountpoint
> field, but instead of moving the partition up to the
> to-be-assigned-a-mount-point group (above the list of available
> partitions) when I clicked away like /boot and /boot/efi, the "/"
> disappeared and the partition stayed put. I didn't think anything of
> pre-formatting the LV with BTRFS because it was okay for all of the
> other partitions.
> 
> I worked around it by removing the filesystem from the LV (zeroing it
> out), and then the installer finally allowed me to have a new BTRFS
> filesystem created on the LV and a mountpoint assigned. I think at some
> point I read in the documentation that the root filesystem MUST be newly
> created, but it would have saved me a lot of time if the installer had
> just told me that. Overall I'd say it did alright for an LVM-on-LUKS
> with BTRFS installation though.
> 

Possibly related and/or helpful links:

https://www.qubes-os.org/doc/custom-install/
https://github.com/QubesOS/qubes-issues/issues/2340
(I've added a link to your post.)

> The first-boot options dialog could have explained the options a little
> better, or they should be explained in the documentation. For example,
> the option to proxy all applications and upgrades through Tor, I
> selected it because it sounded like what I wanted, but I didn't really
> understand how it would affect the networking VM hierarchy or whether I
> could still create unproxied VMs. I left the USB VM (sys-usb) option
> unselected because I wasn't sure how reliable it would be, I don't have
> an IOMMU anyway, and I don't connect a lot of random USB devices to my
> computer, but I would like to try the feature in the future. All along I
> was thinking "Can I change my mind later? Am I stuck with these
> decisions for the rest of my life?"
> 

We plan to implement explanatory tooltips to help with this:

https://github.com/QubesOS/qubes-issues/issues/2211
(I've added your comments and a link to this post.)

> Next, and this is the biggest one, the NetworkManager applet in sys-net
> didn't start the first time, so I spent an a lot of extra time tinkering
> with it and researching the problem until I found a bug report that
> described the exact problem I was having. All I had to do was restart
> sys-net, but it would have saved me a lot of time if it had started on
> its own the first time.
> 

Was it this one?

https://github.com/QubesOS/qubes-issues/issues/2293

> I wanted to setup MAC address spoofing on my wireless interface too, so
> I modified /etc/NetworkManager/NetworkManager.conf in sys-net, but when
> I restarted it my changes were gone. I read that I have to make changes
> in the TemplateVM itself (fedora-23) for 

[qubes-users] Re: HCL - Asus H97M-E

[raahelps]

On Saturday, March 4, 2017 at 3:37:25 PM UTC-5, Timo Saarinen wrote:
> 

nice 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b8663656-b24c-4ed6-9d6e-1a7df203562d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Asus H97M-E

[Timo Saarinen]

On 05/03/17 22:15, raahe...@gmail.com wrote:
> On Saturday, March 4, 2017 at 3:37:25 PM UTC-5, Timo Saarinen wrote:
> nice 
Yeah, I felt lucky that VT-x, EPT and VT-d features were supported by
the CPU even if my original goal was to build a quiet desktop. It seems
that the report had couple of typos (in chipset-short and remarks
fields). Shouldn't try to copy-paste between the domains when it's too
late... The corrected version is attached.

Timo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cef2bd90-5a3a-2d88-b4c4-1096c9df70bf%40neomailbox.net.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASUS-All_Series-20170304-205543.yml
Description: application/yaml


signature.asc
Description: OpenPGP digital signature

[qubes-users] always blank VM-untrusted. possible?

[evo]

Hi!

is there any possibility to get everything deleted in home folder if i
restart the VM (in that case untrusted)?

this would be more secure, so there will be no need to take care of
surfing and such things.

greets
evo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/91f8a85a-2bf9-7846-9929-80bda597172c%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall error by adding new IP

[Unman]

On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote:
> Hello!
> 
> i get an error pop-up:
> "ERROR: Firewall tab: (0,'Error')
> 
> by adding new address.
> 
> i have already added few addresses (about 20 or 30)
> is there any limit or something like that??
> 
> thanks!

Yes:
It's documented here:
www.qubes-os.org/doc/firewall

There's also a proposal for a work around

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305210326.GA16686%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall error by adding new IP

[evo]

On 03/05/2017 10:22 PM, Unman wrote:
> On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote:
>> oh, thanks... i thought i read the post about firewall, but didnt see
>> the limit of 3kb.
>>
>> so the only way to get over 3kb is to adit own rules in /rw/config?
>> And for building the own script there, i should really understand the
>> whole iptables thing.. puh :)
>>
>> sorry for the newbee-question, but what the hell is /rw??
>>
>>
>>
>> On 03/05/2017 10:03 PM, Unman wrote:
>>> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote:
 Hello!

 i get an error pop-up:
 "ERROR: Firewall tab: (0,'Error')

 by adding new address.

 i have already added few addresses (about 20 or 30)
 is there any limit or something like that??

 thanks!
>>>
>>> Yes:
>>> It's documented here:
>>> www.qubes-os.org/doc/firewall
>>>
>>> There's also a proposal for a work around
>>>
> 
> Can you try not to top-post?
> 
> When you are running a TemplateBasedVM, most of the file system comes
> from the template. This meams that many changes that you make will
> disappear on reboot. (E.g changing config in /etc , installing programs
> etc.)
> Some parts of the file system, (/home /and /usr/local) DO persist in the
> qube. They are actually stored in /rw: have a look.
> There is also a mechanism (bind-dirs) for making other files persistent.
> You can read about it in the docs.
> (You can, of course, also store files in /rw/config and use the
> rc.local mechanism to change files in the root file system on boot - e.g
> adding entries to hosts files, custom iptables rules etc etc.)
> 
> unman
> 

ok, so the /rw is on the VM and not in the dom0, understand.

do i need a special name for the iptable-rules in /rw/config?

maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
thing :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3dd6c049-d64e-06b6-740c-35d914d582d9%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] always blank VM-untrusted. possible?

[evo]

On 03/05/2017 10:56 PM, sm8ax1 wrote:
> evo:
>> Hi!
>>
>> is there any possibility to get everything deleted in home folder if i
>> restart the VM (in that case untrusted)?
>>
>> this would be more secure, so there will be no need to take care of
>> surfing and such things.
>>
>> greets
>> evo
>>
> 
> DisposableVMs are meant for that.
> 
> My XFCE menu came with a Firefox in DispVM option out of the box.
> 
> I'm not sure if you can "mark" an arbitrary VM as disposable, but you
> can clone an existing VM and delete it when you're done. It's a pretty
> quick process.
> 
> https://www.qubes-os.org/doc/dispvm/
> https://www.qubes-os.org/doc/dispvm-customization/
> https://www.whonix.org/wiki/Qubes/Disposable_VM
> 
> -
> 
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
> NSA's hands!
> $24.95 ONETIME Lifetime accounts with Privacy Features!  
> 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options!  
> 

thanks! ill try it also!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f0d58b1-70ee-f0ce-1953-f56922dc6ca7%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] always blank VM-untrusted. possible?

[sm8ax1]

evo:
> Hi!
> 
> is there any possibility to get everything deleted in home folder if i
> restart the VM (in that case untrusted)?
> 
> this would be more secure, so there will be no need to take care of
> surfing and such things.
> 
> greets
> evo
> 

DisposableVMs are meant for that.

My XFCE menu came with a Firefox in DispVM option out of the box.

I'm not sure if you can "mark" an arbitrary VM as disposable, but you
can clone an existing VM and delete it when you're done. It's a pretty
quick process.

https://www.qubes-os.org/doc/dispvm/
https://www.qubes-os.org/doc/dispvm-customization/
https://www.whonix.org/wiki/Qubes/Disposable_VM

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e24e8306-4cb4-5915-0dbc-1ca5b7da13e2%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Attaching a single USB device to a qube (USB passthrough)

[Franz]

On Sun, Mar 5, 2017 at 5:11 PM,  wrote:

> On Saturday, March 4, 2017 at 8:06:55 PM UTC-5, Francesco wrote:
> > On Sat, Mar 4, 2017 at 5:14 PM,   wrote:
> >
> >
> > On Saturday, March 4, 2017 at 10:18:18 AM UTC-5, Francesco wrote:
> >
> > > Hello,
> >
> > > for the first time I am trying this new feature of Qubes 3.2 with the
> idea of using attaching a scanner to a scannerVM.
> >
> > >
> >
> > > Fist installed qubes-usb-proxy and simple-scan in the template from
> which both sys-usb and scannerVM depend.
> >
> > >
> >
> > > Then connected the usb cable and the scanner appeared in sys-usb
> terminal:
> >
> > > user@sys-usb:~$ lsusb
> >
> > > Bus 003 Device 005: ID 04a9:190f Canon, Inc.
> >
> > > but
> >
> > > it does not show in dom0 with
> >
> > > qvm-usb
> >
> > > as taught at the end of this document:
> >
> > > https://www.qubes-os.org/doc/usb/
> >
> > > In fact only the webcam appears there.
> >
> > >
> >
> > >
> >
> > > So which is the difference between webcam and scanner? Perhaps that
> the webcam was already installed at boot, while the scanner was connected
> after? But from a security point of view is it advisable to boot with the
> scanner already connected?
> >
> > > Best
> >
> > > Fran
> >
> >
> >
> > did you install proxy in the usb vm too?>
> >
> >
> > yes
> >  not sure havent; tried with a scanner only printer.  I still print and
> scan over network with a raspberry pi that i set up on earlier version of
> Qubes.
> >
> >
> > That may be a cleaner way to do that
> >
> >   I;ve gotten android phone to work as single usb device though too.
> maybe scanner use some diff protocol or port?
> >
> >
> >
> > May be, but it seems strange that qvm-usb does not see it
> >
> > Best
> >
> > Fran
> >
> >
> >
> >
> >
> > --
> >
> > You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com.
> >
> > To post to this group, send email to qubes...@googlegroups.com.
> >
> > To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/5fe54565-d6f7-4aa3-a61d-28ed0e0cefbb%40googlegroups.com.
> >
> > For more options, visit https://groups.google.com/d/optout.
>
> did it work with it plugged in at boot?
>
>
did not try that wondering if it may be a security risk
best
Fran

> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/99c1aacc-d9c2-43ec-b11f-24279246a61c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qBi2JEfw1hOWYDA769hybzfqmNsx6TMx2ONgPFWi-q7bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Firewall error by adding new IP

[evo]

Hello!

i get an error pop-up:
"ERROR: Firewall tab: (0,'Error')

by adding new address.

i have already added few addresses (about 20 or 30)
is there any limit or something like that??

thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f6e99e0-199e-3793-f506-b875dcf2b030%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] always blank VM-untrusted. possible?

[Unman]

On Sun, Mar 05, 2017 at 09:43:19PM +0100, evo wrote:
> Hi!
> 
> is there any possibility to get everything deleted in home folder if i
> restart the VM (in that case untrusted)?
> 
> this would be more secure, so there will be no need to take care of
> surfing and such things.
> 
> greets
> evo

That's a disposable VM:
www.qubes-os.org/doc/dispvm

There are instructions linked from that page about customising the DVMTemplate

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305210530.GB16686%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Archlinux Community Template Qubes OS 3.2

[andresmrm]

Hi!

I saw in the repository some files about an Arch Linux Minimal template:
https://github.com/QubesOS/qubes-builder-archlinux/blob/master/scripts/packages_minimal.list

How should we install it? Must we build it?

I tried to install "qubes-template-archlinux-minimal", but it can't be found. 
And "qubes-template-archlinux" came only with the default template.

Also, the Arch Linux template is not shutting down normally (need to kill the 
VM). With a quick look at logs it seems qetty is not terminating. I can try to 
paste the logs here if it's an unknown bug.

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc00ac0a-31e6-4fbf-9969-4ac03bc8e856%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qvm-create-default-dvm fails

[haaber]

Hello,

I want to base my disp-vm's on debian-8. So I run in dom0

> [me@dom0 dvmdata]$  sudo qvm-create-default-dvm debian-8
> A VM with the name 'debian-8-dvm' does not exist in the system.

this is strange, since /var/lib.qubes/appvms/debian-8-dvm DOES exist.
Running it with "sh -x" prefix, I find the problem here:
> [me@dom0 dvmdata]$  sudo sh -x qvm-create-default-dvm debian-8
> [..]
> + /usr/lib/qubes/qubes-prepare-saved-domain.sh debian-8-dvm
/var/lib/qubes/appvms/debian- 8-dvm/dvm-savefile vm-default
> A VM with the name 'debian-8-dvm' does not exist in the system.

so the error  is produced by qubes-prepare-saved-domain.sh. Prefixing
the hurting command with  "bash -x" gives

>sudo bash -x qubes-prepare-saved-domain.sh debian-8-dvm
/var/lib/qubes/appvms/debian- 8-dvm/dvm-savefile vm-default
> [..]
> + qvm-start debian-8-dvm --dvm
> A VM with the name 'debian-8-dvm' does not exist in the system.

This is a python2 script. Running it with -v reveals

> [me@dom0 dvmdata]$ sudo /usr/bin/python2 -v /usr/bin/qvm-start
debian-8-dvm --dvm
> [..]
> # /usr/lib64/python2.7/gettext.pyc matches /usr/lib64/python2.7/gettext.py
> import gettext # precompiled from /usr/lib64/python2.7/gettext.pyc
> # /usr/lib64/python2.7/locale.pyc matches /usr/lib64/python2.7/locale.py
> import locale # precompiled from /usr/lib64/python2.7/locale.pyc
> # /usr/lib64/python2.7/copy.pyc matches /usr/lib64/python2.7/copy.py
> import copy # precompiled from /usr/lib64/python2.7/copy.pyc
> A VM with the name 'debian-8-dvm' does not exist in the system.

Here I am stuck. May anybody help me understand what may go wrong here? 
Bernhard


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0b4fe5e-7d9c-2a1f-a3e6-b0a128d2eccd%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: fedora-24 update error: nothing provides ostree-libs(x86-64) >= 2016.14 needed by flatpak-0.8.3-3.fc24.x86_64

[raahelps]

On Sunday, March 5, 2017 at 5:31:48 AM UTC-5, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2017-03-03 15:41, raahe...@gmail.com wrote:
> > On Friday, March 3, 2017 at 6:38:24 PM UTC-5, raah...@gmail.com
> > wrote:
> >> On Friday, March 3, 2017 at 9:40:20 AM UTC-5,
> >> mitte...@digitrace.de wrote:
> >>> Hello fellow Qubes users,
> >>> 
> >>> If I execute update of the fedora-24 template via the Qubes VM
> >>> manager, it aborts with the error
> >>> 
> >>> nothing provides ostree-libs(x86-64) >= 2016.14 needed by 
> >>> flatpak-0.8.3-3.fc24.x86_64
> >>> 
> >>> If I use sudo dnf upgrade from the terminal within fedora-24
> >>> the command is executed, but later executions list the problem
> >>> with flatpack (broken dependencies)
> >>> 
> >>> of course I can remove flatpack, but I don't know whether I may
> >>> need it?!
> >>> 
> >>> thanks
> >> 
> >> I removed it haven't noticed any problems.  But I also wonder
> >> what it is.
> > 
> > Hopefully removing it did not lessen my security?
> > 
> 
> Relevant issue: https://github.com/QubesOS/qubes-issues/issues/2656
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJYu+kAAAoJENtN07w5UDAweDQQAI+mO/IQk2Q8OV+O7HtjwcGb
> 91FDO8I8tL726x6glu3xKT32w9b4t5x8002lONNKF+VNOqhdbyXMgUenlejIVMzV
> Mil/BtTnfmi8OJ1zDeq1agOxYr/T6SecmObLpDG/FTy7tlGDVhRYVksKTQsHue2+
> Nbx01D4/hJzN55lpu/YQ18H23vTARGXTHNKCy+VPOn1GDQsuzkr2nv2twVwpyPwt
> IZCdEFP//y7/BfeXYGRlb0Z6P/gj8dFxmhsJPcHTGUuX2SzaxfKDQQjmHGVjsVrm
> GFfB7RpkbzBGK4VJ1KFIYSQsY6WZz3yJ6ch2hmu3LO/wXfjsoUzkAAn5jWjJ8zjm
> KmSkVvMshVmN+Ft02w0pAzrJtc2YFZttw6I2YXs/C6Dl84LUKubeCyXAwv2UEkLO
> 5BqgNuQ1R/TKaFHewiU9tyWVNtHFS9tYCvxEdJJkpZtbTVMEvlrKV1yOY0kyqJfG
> f6kcP/MmKR8bUSsJx8LiSKjJ7/ZX1CLLxbX5o5G5HfK00qq/59boOvIYtOi5pAed
> P+3/gZ5AV63etcFLRSdjMzO59dTsBNyN2OmkeWzxjTJYUxZYf50id2Qe65DnKhAH
> v9FOnju8ihlF0TDcyfGaJ88rIrbudEqJtf88+FjfXQLsrm2W8wr9ElxB4QmHJVQX
> yW3b48SuJTfLdHm138Fn
> =4Kzv
> -END PGP SIGNATURE-

yes but is removing flatpack bad for my security? maybe I should install it 
again?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a0884cb-1854-4555-bf2b-f8a1402d5bd4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Attaching a single USB device to a qube (USB passthrough)

[raahelps]

On Saturday, March 4, 2017 at 8:06:55 PM UTC-5, Francesco wrote:
> On Sat, Mar 4, 2017 at 5:14 PM,   wrote:
> 
> 
> On Saturday, March 4, 2017 at 10:18:18 AM UTC-5, Francesco wrote:
> 
> > Hello,
> 
> > for the first time I am trying this new feature of Qubes 3.2 with the idea 
> > of using attaching a scanner to a scannerVM.
> 
> >
> 
> > Fist installed qubes-usb-proxy and simple-scan in the template from which 
> > both sys-usb and scannerVM depend.
> 
> >
> 
> > Then connected the usb cable and the scanner appeared in sys-usb terminal:
> 
> > user@sys-usb:~$ lsusb
> 
> > Bus 003 Device 005: ID 04a9:190f Canon, Inc.
> 
> > but
> 
> > it does not show in dom0 with
> 
> > qvm-usb
> 
> > as taught at the end of this document:
> 
> > https://www.qubes-os.org/doc/usb/
> 
> > In fact only the webcam appears there.
> 
> >
> 
> >
> 
> > So which is the difference between webcam and scanner? Perhaps that the 
> > webcam was already installed at boot, while the scanner was connected 
> > after? But from a security point of view is it advisable to boot with the 
> > scanner already connected?
> 
> > Best
> 
> > Fran
> 
> 
> 
> did you install proxy in the usb vm too?> 
> 
> 
> yes 
>  not sure havent; tried with a scanner only printer.  I still print and scan 
> over network with a raspberry pi that i set up on earlier version of Qubes.
> 
> 
> That may be a cleaner way to do that 
> 
>   I;ve gotten android phone to work as single usb device though too.  maybe 
> scanner use some diff protocol or port?
> 
> 
> 
> May be, but it seems strange that qvm-usb does not see it
> 
> Best
> 
> Fran 
> 
> 
> 
> 
> 
> --
> 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users...@googlegroups.com.
> 
> To post to this group, send email to qubes...@googlegroups.com.
> 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/5fe54565-d6f7-4aa3-a61d-28ed0e0cefbb%40googlegroups.com.
> 
> For more options, visit https://groups.google.com/d/optout.

did it work with it plugged in at boot?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99c1aacc-d9c2-43ec-b11f-24279246a61c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] DNS

['Antoine' via qubes-users]

Hi,

I have recently installed Qubes OS and I am experiencing some slow time
resolution in my debian VM. I have checked the /etc/resolv.conf file and
it contains the following lines:

nameserver 10.137.2.1
nameserver 10.137.2.254

Playing with dig I can realise that the first IP is working well while
all DNS queries sent to the second one finish in timeout:

$ dig +short qubes-os.org @10.137.2.1
104.25.152.101
104.25.151.101
$ dig +short qubes-os.org @10.137.2.254
;; connection timed out; no servers could be reached

In sys-firewall, everything seems OK:

$ iptables -S -t nat
[...]
-A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
10.137.1.1
-A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
10.137.1.1
-A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
10.137.1.254
-A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
10.137.1.254

But I have the feeling something is missing in sys-net:

$ iptables -S -t nat
[...]
-A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
192.168.1.1
-A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
192.168.1.1
[...]

where 192.168.1.1 is the expected DNS server on my LAN.

Do you have an idea why this DNAT rule is missing? (I am not sure to
understand why 2 different nameserver are filled in resolv.conf).

Many thanks for your help,

Antoine

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305202507.sskvrkfd4ho6sea2%40fedora-23-dvm.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] DNS

[Unman]

On Sun, Mar 05, 2017 at 09:25:07PM +0100, 'Antoine' via qubes-users wrote:
> Hi,
> 
> I have recently installed Qubes OS and I am experiencing some slow time
> resolution in my debian VM. I have checked the /etc/resolv.conf file and
> it contains the following lines:
> 
> nameserver 10.137.2.1
> nameserver 10.137.2.254
> 
> Playing with dig I can realise that the first IP is working well while
> all DNS queries sent to the second one finish in timeout:
> 
> $ dig +short qubes-os.org @10.137.2.1
> 104.25.152.101
> 104.25.151.101
> $ dig +short qubes-os.org @10.137.2.254
> ;; connection timed out; no servers could be reached
> 
> In sys-firewall, everything seems OK:
> 
> $ iptables -S -t nat
> [...]
> -A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
> 10.137.1.1
> -A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
> 10.137.1.1
> -A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT 
> --to-destination 10.137.1.254
> -A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT 
> --to-destination 10.137.1.254
> 
> But I have the feeling something is missing in sys-net:
> 
> $ iptables -S -t nat
> [...]
> -A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
> 192.168.1.1
> -A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
> 192.168.1.1
> [...]
> 
> where 192.168.1.1 is the expected DNS server on my LAN.
> 
> Do you have an idea why this DNAT rule is missing? (I am not sure to
> understand why 2 different nameserver are filled in resolv.conf).
> 
> Many thanks for your help,
> 
> Antoine
> 
> -- 

No idea - report it as a bug

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305210749.GC16686%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to use a and which mailclient in QUBES (via TOR)?

[Unman]

On Sun, Mar 05, 2017 at 01:25:19PM +, sm8ax1 wrote:
> Unman:
> > On Sat, Mar 04, 2017 at 11:30:35PM -, pixr...@mail2tor.com wrote:
> > 
> >> What needs to be done that IMAP goes over TOR? can this be done and if so
> >> how should I set it up in Qubes?
> >>
> > 
> > Just put your mail qubes downstream from a TorVM, so that the traffic is
> > routed through Tor.
> > Or look at implementing this on a whonix workstation.
> > 
> 
> New to this thread (and list) so sorry if I missed something, but
> Icedove (Thunderbird) with TorBirdy is preinstalled in Whonix which is
> included with Qubes. All you have to do is configure it with your email
> account. It only took me a couple of minutes and it works well. I think
> I had to manually add a shortcut via the Qubes VM manager.
> 
> As for which client to use, I think Claws is the only client officially
> deemed safe. Thunderbird+TorBirdy seems pretty safe to me, at least
> there are no critical outstanding bugs, but it's still considered
> experimental. Beyond that, it's a matter of personal preference, but be
> aware of both exploitation and fingerprinting matters especially in
> clients not designed for Tor.
> 

You did miss something - this was the first response.

But Tim suggested trying mutt, and I endorsed that, which is how the
thread progressed.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305211152.GE16686%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall error by adding new IP

[evo]

oh, thanks... i thought i read the post about firewall, but didnt see
the limit of 3kb.

so the only way to get over 3kb is to adit own rules in /rw/config?
And for building the own script there, i should really understand the
whole iptables thing.. puh :)

sorry for the newbee-question, but what the hell is /rw??



On 03/05/2017 10:03 PM, Unman wrote:
> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote:
>> Hello!
>>
>> i get an error pop-up:
>> "ERROR: Firewall tab: (0,'Error')
>>
>> by adding new address.
>>
>> i have already added few addresses (about 20 or 30)
>> is there any limit or something like that??
>>
>> thanks!
> 
> Yes:
> It's documented here:
> www.qubes-os.org/doc/firewall
> 
> There's also a proposal for a work around
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/737ff34c-7cd3-b73c-d7c6-f7369fbd5f75%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] First time user: initial issues and thoughts

[sm8ax1]

Andrew David Wong:
> On 2017-03-04 06:35, sm8ax1 wrote:
>> Hi,
> 
>> I just installed Qubes yesterday and wanted to share my thoughts and
>> some issues I ran into.
> 
>> Table of Contents
>> 1. Use Case / Thanks
>> 2. Minor issues with manual partitioning and assigning mountpoints
>> 3. First-boot dialog
>> 4. NetworkManager applet didn't start the first time
>> 5. Modifying /etc files in template-inherited VMs persistently
>> 6. Screensaver blacks screen but doesn't turn off the backlight
>> 7. sys-firewall uses much more RAM than it should have to
>> 8. Encrypted /boot partition support
> 
>> First, I want to thank the developers. I've used Xen with QEMU and GTK+
>> on other Linuxes before, so I'm familiar with some of the concepts. I
>> was trying to accomplish basically what Qubes did, but it was a real
>> pain to manage, the actual security of the whole system was
>> questionable, and even simple tasks like pasting text or transferring
>> files were a pain. You guys did a great job with Qubes. It's the OS I've
>> been waiting for.
> 
> 
> Welcome, and thank you for the thoughtful and organized feedback!
> 
>> I learned about it a long time ago, probably around the time it first
>> came out, but I didn't think about trying it until it was featured on
>> the Tor blog and I learned about some new features. (For anyone who's
>> interested, I had a thoughtful, though theoretical, debate with another
>> reader about the some of the design choices around Qubes:
>> https://blog.torproject.org/blog/tor-heart-qubes-os#comment-229452)
> 
>> The installation was pretty easy, but I ran into somewhat of an edge
>> case that held me up a little. I did my partitioning manually, and kept
>> the same GPT (and protective MBR) that was already installed.
> 
>> BIOS Boot Partition (1007K) - out-of-alignment filesystemless partition
>> that allows GRUB to embed itself
>> EFI System Partition
>> /boot partition
>> encrypted main partition with LVM
>>  root
>>  swap
> 
>> All good. Here's the issue. I thought I would "help" the installer by
>> creating a BTRFS LV for the root filesystem. It showed up in the
>> installer with a weird name like "btrfs.XXX" (where X is a digit that
>> changed on each reboot), and it didn't have the logical volume name in
>> the subtext like my swap LV did. I was typing "/" into the mountpoint
>> field, but instead of moving the partition up to the
>> to-be-assigned-a-mount-point group (above the list of available
>> partitions) when I clicked away like /boot and /boot/efi, the "/"
>> disappeared and the partition stayed put. I didn't think anything of
>> pre-formatting the LV with BTRFS because it was okay for all of the
>> other partitions.
> 
>> I worked around it by removing the filesystem from the LV (zeroing it
>> out), and then the installer finally allowed me to have a new BTRFS
>> filesystem created on the LV and a mountpoint assigned. I think at some
>> point I read in the documentation that the root filesystem MUST be newly
>> created, but it would have saved me a lot of time if the installer had
>> just told me that. Overall I'd say it did alright for an LVM-on-LUKS
>> with BTRFS installation though.
> 
> 
> Possibly related and/or helpful links:
> 
> https://www.qubes-os.org/doc/custom-install/
> https://github.com/QubesOS/qubes-issues/issues/2340
> (I've added a link to your post.)

Thanks, I read the custom install page prior to installing, but I was
unaware of #2340.

To be honest, when I decided I wanted BTRFS, I just sort of assumed that
guest disk images were logical volumes to begin with. The custom install
page mentioned LVM in every scenario, so I thought it was necessary for
that reason. And the Xen wiki repeatedly mentions that logical volumes
are faster than image files on any kind of filesystem.  It was, however,
suspcious when the custom install page said "-l 100%FREE" for the root
LV. I guess that's what I get for assuming.

Are there any plans for hooking Qubes up to the LVM in this way? LVM
itself supports block-level rw CoW snapshots, and the Xen project
strongly recommends it over image files.

And as a final thought, it really wouldn't be that hard for Qubes to run
`chattr +C $file` when a new image file is created (though CoW is
reenabled if you take a snapshot, according to #2340). Note that if you
want to do this after the fact, you have to recreate the file (setting
+C on a non-empty-file is undefined).

mv file.img file.img.bak
touch file.img
chattr +C file.img
cp file.img.back file.img
rm file.img.bak

> 
>> The first-boot options dialog could have explained the options a little
>> better, or they should be explained in the documentation. For example,
>> the option to proxy all applications and upgrades through Tor, I
>> selected it because it sounded like what I wanted, but I didn't really
>> understand how it would affect the networking VM hierarchy or whether I
>> could still create unproxied VMs. I left 

Re: [qubes-users] do I really need these packages in dom0 :?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-03 04:15, Oleg Artemiev wrote:
> On Fri, Mar 3, 2017 at 12:34 AM, Oleg Artemiev 
>  wrote:
>> On Thu, Mar 2, 2017 at 11:01 PM, Marek Marczykowski-Górecki 
>>  wrote:
>>> [...]
 
 from above only netcf-libs is required indirectly by xen 
 related package. So is it safe to drop all other from above 
 w/ rpm -e  ?
>>> 
>>> Yes. You can start with 'dnf remove initial-setup-gui' - it 
>>> will propose additional packages not needed anymore. But 
>>> carefully review that list before confirming.
> 
>> Shouldn't those be removed by default as a postinstall step?
> 
> May I add this (and above sentence as subject) as a feature
> request in github?
> 

I waited a couple of days for this but didn't see anything submitted,
so I've created an issue for it:

https://github.com/QubesOS/qubes-issues/issues/2670

Didn't mean to steal your thunder, but I was afraid it would end up
falling through the cracks (as so many important issues do).

> We should not have non-required packages in Dom0 by default, 
> right?
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYu+h/AAoJENtN07w5UDAwLbkP/1rbrYwkBIaQ1DK9OkS/39H5
9k0Fb2HPTtLIBhByuPstVvN5VGh9eQzxJ33RGy6T0zpsza9Jydvj+vaHGoD2gUQ8
a0/WnR0xHBEIhNU+7AUdrXnJlm1nuOwqcXRMdzdHKAypIAjp1pYB0dCg+WWQbz7D
UGUCIxmQMhViFxBvnXqrQkUYTUCdhPPe7+0bAnw/kbAwSsZlpAL5MtS9Nd3+kjzj
eBo+KMYXdPSOWVoiGN9F0b+HS+wwUUrD7pocWZQPm/DOLnvOPmZZrHxeZwqVGp4M
AN0YmGUgBpNakakYv7hqVpApLkLrsQCSXguPpdaf7pGESzhSDvVDA+9JU4SWderO
Cj2x8q37LFskVbglZZRjnM8mByCIyWiyR6Lrmwkpw/+QjHTRBHDMa5y34/0UC5OM
+G5RW5m+czilqNI/AkJ0dKPgoiBDYnXmvOi78uh6isqlAFuWphYrDfQkmaDvp730
FkX8+fjPopCa+NKz6oihTVTCUN7C9qaY/y96hO9aWeXnGrbB0ra+2XF/IdRd91PG
VTLhiYFsfV48mtbtLOwBZuN4yOwWJSBRXeqmp86eQUlDbQz9Uzog+8cNW2jQ4kyw
rPAF735oD1G4As9vWkjTICQLW3zEw0DMI5xbaRVMO+3lwbFUVeS/dOV2yvCIm0Lx
bQlF0XYgUCQ8AJDvHF1q
=BzHB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b2750b0-3be5-0cc2-95ae-8be53327dd69%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to use a and which mailclient in QUBES (via TOR)?

[sm8ax1]

Unman:
> On Sat, Mar 04, 2017 at 11:30:35PM -, pixr...@mail2tor.com wrote:
> 
>> What needs to be done that IMAP goes over TOR? can this be done and if so
>> how should I set it up in Qubes?
>>
> 
> Just put your mail qubes downstream from a TorVM, so that the traffic is
> routed through Tor.
> Or look at implementing this on a whonix workstation.
> 

New to this thread (and list) so sorry if I missed something, but
Icedove (Thunderbird) with TorBirdy is preinstalled in Whonix which is
included with Qubes. All you have to do is configure it with your email
account. It only took me a couple of minutes and it works well. I think
I had to manually add a shortcut via the Qubes VM manager.

As for which client to use, I think Claws is the only client officially
deemed safe. Thunderbird+TorBirdy seems pretty safe to me, at least
there are no critical outstanding bugs, but it's still considered
experimental. Beyond that, it's a matter of personal preference, but be
aware of both exploitation and fingerprinting matters especially in
clients not designed for Tor.

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c861759-b024-9d37-9a5e-2adc51733192%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: fedora-24 update error: nothing provides ostree-libs(x86-64) >= 2016.14 needed by flatpak-0.8.3-3.fc24.x86_64

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-03 15:41, raahe...@gmail.com wrote:
> On Friday, March 3, 2017 at 6:38:24 PM UTC-5, raah...@gmail.com
> wrote:
>> On Friday, March 3, 2017 at 9:40:20 AM UTC-5,
>> mitte...@digitrace.de wrote:
>>> Hello fellow Qubes users,
>>> 
>>> If I execute update of the fedora-24 template via the Qubes VM
>>> manager, it aborts with the error
>>> 
>>> nothing provides ostree-libs(x86-64) >= 2016.14 needed by 
>>> flatpak-0.8.3-3.fc24.x86_64
>>> 
>>> If I use sudo dnf upgrade from the terminal within fedora-24
>>> the command is executed, but later executions list the problem
>>> with flatpack (broken dependencies)
>>> 
>>> of course I can remove flatpack, but I don't know whether I may
>>> need it?!
>>> 
>>> thanks
>> 
>> I removed it haven't noticed any problems.  But I also wonder
>> what it is.
> 
> Hopefully removing it did not lessen my security?
> 

Relevant issue: https://github.com/QubesOS/qubes-issues/issues/2656

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYu+kAAAoJENtN07w5UDAweDQQAI+mO/IQk2Q8OV+O7HtjwcGb
91FDO8I8tL726x6glu3xKT32w9b4t5x8002lONNKF+VNOqhdbyXMgUenlejIVMzV
Mil/BtTnfmi8OJ1zDeq1agOxYr/T6SecmObLpDG/FTy7tlGDVhRYVksKTQsHue2+
Nbx01D4/hJzN55lpu/YQ18H23vTARGXTHNKCy+VPOn1GDQsuzkr2nv2twVwpyPwt
IZCdEFP//y7/BfeXYGRlb0Z6P/gj8dFxmhsJPcHTGUuX2SzaxfKDQQjmHGVjsVrm
GFfB7RpkbzBGK4VJ1KFIYSQsY6WZz3yJ6ch2hmu3LO/wXfjsoUzkAAn5jWjJ8zjm
KmSkVvMshVmN+Ft02w0pAzrJtc2YFZttw6I2YXs/C6Dl84LUKubeCyXAwv2UEkLO
5BqgNuQ1R/TKaFHewiU9tyWVNtHFS9tYCvxEdJJkpZtbTVMEvlrKV1yOY0kyqJfG
f6kcP/MmKR8bUSsJx8LiSKjJ7/ZX1CLLxbX5o5G5HfK00qq/59boOvIYtOi5pAed
P+3/gZ5AV63etcFLRSdjMzO59dTsBNyN2OmkeWzxjTJYUxZYf50id2Qe65DnKhAH
v9FOnju8ihlF0TDcyfGaJ88rIrbudEqJtf88+FjfXQLsrm2W8wr9ElxB4QmHJVQX
yW3b48SuJTfLdHm138Fn
=4Kzv
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e443df3a-d444-8d62-ed15-ff4ee161e308%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Feedback request: Incremental file-based backup PoC

[Vít Šesták]

On backup backends: I'd like to move the discussion to GitHub. I've summed up 
what we need and created some comparison table: 
https://github.com/v6ak/qubes-incremental-backup-poc/issues/35

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b008510-22bf-4429-97d2-52023a0d324a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Abridged summary of qubes-users@googlegroups.com - 33 updates in 17 topics

[Amilton Justino]

Hello all,

I am not able to put ssh-agent and ssh-add to work automatically in an
AppVM with fedora 23.
Manually running every login works correctly. Has anyone got it?

Thanks in advance,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d16e31c2-ec46-d648-6b74-a43e6c4926c4%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


0x01AD6182.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] First time user: initial issues and thoughts

[Chris Laprise]

On 03/05/2017 08:11 AM, sm8ax1 wrote:


Thanks, I read the custom install page prior to installing, but I was
unaware of #2340.

To be honest, when I decided I wanted BTRFS, I just sort of assumed that
guest disk images were logical volumes to begin with. The custom install
page mentioned LVM in every scenario, so I thought it was necessary for
that reason. And the Xen wiki repeatedly mentions that logical volumes
are faster than image files on any kind of filesystem.  It was, however,
suspcious when the custom install page said "-l 100%FREE" for the root
LV. I guess that's what I get for assuming.

Are there any plans for hooking Qubes up to the LVM in this way? LVM
itself supports block-level rw CoW snapshots, and the Xen project
strongly recommends it over image files.


Normally you shouldn't mix Btrfs with LVM, as the former is a kind of 
volume manager in itself.


I have used Btrfs on Qubes for probably close to 2 years and it has been 
very good in terms of stability and performance. However, anaconda 
(fedora's installer) doesn't handle a mixture of partitioning and fs 
options well, esp. if you select Btrfs. The only 'good' way I've found 
is to select a Btrfs system install and let it re-partition the whole 
disk; otherwise, it has a tendency to forget steps such as LUKS 
encryption layer.


Note that thin-provisoned LVM (probably the type you're referring to) 
incurs a speed penalty as well. Its really doing the same work as Btrfs, 
but without some of the nice features.



I wanted to setup MAC address spoofing on my wireless interface too, so

I modified /etc/NetworkManager/NetworkManager.conf in sys-net, but when
I restarted it my changes were gone. I read that I have to make changes
in the TemplateVM itself (fedora-23) for them to be persistent, but the
problem is that I don't necessarily need all VMs to have this change.
I'm still not sure of the correct way to make changes to a single VM
that inherits from a TemplateVM.


On MAC anonymization:

https://www.qubes-os.org/doc/anonymizing-your-mac-address/

That's more or less what I read on other sites. I think we should
consider putting a Big Fat Warning on that page saying that your changes
will be lost on restart if the VM belongs to a template, or you could
easily leak your real MAC address by accident.


This behavior is explained in Qubes introductory material... 
template-based VMs forget anything that isn't in /rw (such as home/). 
That's why its routine for Qubes docs to instruct adding settings to the 
template. In this case, the doc also has the user restarting the netVM 
before checking the MAC address.


Also, a given template does boot differently depending on the VM type 
(netVM, proxyVM, appVM) that's using it. So Network Manager settings 
don't really affect appVMs since they aren't intended to run NM.




On TemplateVM persistence:

https://www.qubes-os.org/doc/templates/#important-notes

On making directories persistent without making the changes in a TemplateVM:

https://www.qubes-os.org/doc/bind-dirs/

Thanks. It sounds like bind-dirs.sh is just what I need!


There are several alternatives for configuration. The VPN doc describes 
using /rw/config (without bind-dirs) to configure and script things for 
a specific VM. You could also create a standalone netVM so that config 
changes become very straightforward. It depends on the specific case.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ae78236-6c62-9627-0c5e-a68064426a10%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Attaching a single USB device to a qube (USB passthrough)

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-05 14:18, Franz wrote:
> On Sun, Mar 5, 2017 at 5:11 PM,  wrote:
>> [...] did it work with it plugged in at boot?
>> 
> did not try that wondering if it may be a security risk

Yes, leaving USB devices plugged in during boot can be a risk, since
Qubes can't isolate USB controllers during early stages of the boot
process. IIRC, Joanna's recommendation is to unplug all USB devices
before (re)booting.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYvL2rAAoJENtN07w5UDAwQj4P/2tjrBk2wK5mpE7+EEZ4o4ss
Y/EFoEuD/331qI82tHVYvJdDz41HGXdsugZYOR8w4xuQLgDcOCbkOf1sxHk/PgGl
MVIPqHhH/fdapsGkNM30ZjjdotKpeEMi+Bxfo1cglaOzXnvRwuAVlX0l96Aob5EE
3Y4MnYmUA3simV45hQGMEyfNKZ4mahNVyLTpDglmKZwFdXLYeHcOWm6H8X0FOFS2
WXBY8UzpIFz0l9XJW9tBuEVnPIHn57m8wxrrQNXxzeaD88h17ZhyVGTbP2jTLSvm
gAbTdZq4y+7Vl4ZeW/mi7Wz+9D406y0JNzJBBGlDXdMpmaVszQ+BxVakrKYs0yZJ
xFWP3p84RF3UH0TYrO1YK709PKP8uLjPoRsviW8UCa9tk5hOSIAs3UMUuZhax6r7
e9wxYW2+ZryhhlOSx2JPVhj/0zZ9w3enY7sq1RWDKlvQ3SDpsGJ6tX0L3BtGgsQv
/LOZKCH3EY367jUUwt23bDPbllGb/7E6hXwHLFbWbOG2WZejE8NuizboL8uu2EVj
FaEKXOUOQMWPc5lZXLEABgQInTiX0RN/GgK6fCteyTFbffR8IRqY9xe3Xy4ee5ti
JIqRCRcvgfB6K9+JjpLwheCY1Z40DV/fA/sqX6Vh9TIG89ppoF7nMKA/8r83mQZ5
y+YKmXvDB0Rm6hbe/cSV
=hO24
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f0ff02c-1a0c-ce1f-96e4-82481dd2e035%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Problems installing on device running Coreboot

[Duncan]

Dear Qubes users,

I am having trouble installing Qubes OS on my Thinkpad T420, after
installing Coreboot on it. Here is what I have to report.

The device is as follows, a Thinkpad T420 with an i7-2720QM. It has the
discrete Nvidia graphics, 16G of RAM, and an SSD.

Coreboot was configured as follows: SeaBIOS as primary payload, native
graphics initialization, microcode updates included, resulting image
"de-blobbed" with me_cleaner, memtest86+ as secondary payload. Coreboot
boots fine into SeaBIOS and can see all devices. I shorted WP/GND on the
flash chip to prevent arbitrary rewrites by the operating system.

I had already installed Qubes on the device when it was running the
proprietary BIOS. This worked fine, without any trouble. Originally, the
device had an i7-2670QM, but I acquired an i7-2720QM since the 2670 did
not have the IO/MMU feature. The device can boot the installer without
any problems (other than odd messages about rendering errors, but these
are not alarming).

The device can also boot the original installation of Qubes from when it
was running the proprietary BIOS.

The behavior of trying to boot a stock Qubes install that was installed
using the installer booted by Coreboot, is that selecting the SSD to
boot from just seems to result in hanging. It should boot after 1 minute
or so, (or considerably less considering this is an SSD) but it hangs
for considerably longer than that, whereafter I turned off the computer
to save power.

Theory 1: The SSD is the problem. To test this, I decided to install a
different OS on the SSD, in this case, Debian 8. This worked flawlessly.
This suggests that there is no flaw with the SSD. I actually
(regrettably) attempted to install Qubes over the original installation
of Qubes, to test if Coreboot was not playing well with the SSD. The
same behavior occurred.

Theory 2: Coreboot, or SeaBIOS, is the problem. This does not make sense
either, since I was able to boot the original Qubes installation, the
Qubes installer, as well as install Debian on the SSD.

Theory 3: The new processor is the problem. The other hardware I
introduced into the system does not seem to be the issue, since I was
able to boot Debian, the Qubes installer, and the original install of
Qubes without issue. Concerning the new processor, I was able to get
Coreboot to work flawlessly with it, so I suspect this is not
interfering with the software.

Theory 4: Qubes installer is not playing well with Coreboot somehow.
This seems to be the problem, since I can boot the other Qubes install,
and Debian installs fine on this.

Firstly, I suspected that the automatic partition might be somehow iffy,
e.g. malformed boot partition. I am not sure what would cause this. So I
attempted to install with the simplest setup, a 500M partition for
/boot, and then filled the rest of the disk with an encrypted /
partition. Perhaps there is a better way to partition, but I am
unfamiliar with Anaconda's partitioning interface. The way that volume
groups are handled was particularly confusing. Regardless, this was not
successful at all.

Another prime suspect is graphics not working for some reason - but I am
quite unsure about this also, since the Qubes installer seems to work
flawlessly in terms of booting up and allowing interaction - I would
assume that the Qubes installer is very similar to regular Qubes in how
it boots up and handles graphics, so I remain skeptical of this being
the issue.

Furthermore, reading other threads concerning Coreboot and Qubes, I get
the impression that many fellow Coreboot users did not attempt to
install Qubes from a system already running Coreboot, and instead used
the previous installation. Perhaps there is an issue in the Qubes
installer that has remained uncovered? 

Alternatively, I may be missing something very crucial. If so, please
feel free to berate me!

Thank you in advance,

D

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4a965cc-e240-3934-52da-21cb6b444080%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-create-default-dvm fails

[Unman]

On Sat, Mar 04, 2017 at 04:18:56AM +0100, haaber wrote:
> Hello,
> 
> I want to base my disp-vm's on debian-8. So I run in dom0
> 
> > [me@dom0 dvmdata]$  sudo qvm-create-default-dvm debian-8
> > A VM with the name 'debian-8-dvm' does not exist in the system.
> 
> this is strange, since /var/lib.qubes/appvms/debian-8-dvm DOES exist.
> Running it with "sh -x" prefix, I find the problem here:
> > [me@dom0 dvmdata]$  sudo sh -x qvm-create-default-dvm debian-8
> > [..]
> > + /usr/lib/qubes/qubes-prepare-saved-domain.sh debian-8-dvm
> /var/lib/qubes/appvms/debian- 8-dvm/dvm-savefile vm-default
> > A VM with the name 'debian-8-dvm' does not exist in the system.
> 
> so the error  is produced by qubes-prepare-saved-domain.sh. Prefixing
> the hurting command with  "bash -x" gives
> 
> >sudo bash -x qubes-prepare-saved-domain.sh debian-8-dvm
> /var/lib/qubes/appvms/debian- 8-dvm/dvm-savefile vm-default
> > [..]
> > + qvm-start debian-8-dvm --dvm
> > A VM with the name 'debian-8-dvm' does not exist in the system.
> 
> This is a python2 script. Running it with -v reveals
> 
> > [me@dom0 dvmdata]$ sudo /usr/bin/python2 -v /usr/bin/qvm-start
> debian-8-dvm --dvm
> > [..]
> > # /usr/lib64/python2.7/gettext.pyc matches /usr/lib64/python2.7/gettext.py
> > import gettext # precompiled from /usr/lib64/python2.7/gettext.pyc
> > # /usr/lib64/python2.7/locale.pyc matches /usr/lib64/python2.7/locale.py
> > import locale # precompiled from /usr/lib64/python2.7/locale.pyc
> > # /usr/lib64/python2.7/copy.pyc matches /usr/lib64/python2.7/copy.py
> > import copy # precompiled from /usr/lib64/python2.7/copy.pyc
> > A VM with the name 'debian-8-dvm' does not exist in the system.
> 
> Here I am stuck. May anybody help me understand what may go wrong here? 
> Bernhard
> 

Dont use sudo here - you may hit problems with permissions. The same
goes for all qube operations - qvm-clone, create etc.

Can you simply delete the  /var/lib/qubes/appvms/debian-8-dvm directory
and then try 'qvm-create-default-dvm debian-8' , and report back?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305234953.GB17750%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DNS

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-05 13:07, Unman wrote:
> On Sun, Mar 05, 2017 at 09:25:07PM +0100, 'Antoine' via qubes-users wrote:
>> Hi,
>>
>> I have recently installed Qubes OS and I am experiencing some slow time
>> resolution in my debian VM. I have checked the /etc/resolv.conf file and
>> it contains the following lines:
>>
>> nameserver 10.137.2.1
>> nameserver 10.137.2.254
>>
>> Playing with dig I can realise that the first IP is working well while
>> all DNS queries sent to the second one finish in timeout:
>>
>> $ dig +short qubes-os.org @10.137.2.1
>> 104.25.152.101
>> 104.25.151.101
>> $ dig +short qubes-os.org @10.137.2.254
>> ;; connection timed out; no servers could be reached
>>
>> In sys-firewall, everything seems OK:
>>
>> $ iptables -S -t nat
>> [...]
>> -A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
>> 10.137.1.1
>> -A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
>> 10.137.1.1
>> -A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT 
>> --to-destination 10.137.1.254
>> -A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT 
>> --to-destination 10.137.1.254
>>
>> But I have the feeling something is missing in sys-net:
>>
>> $ iptables -S -t nat
>> [...]
>> -A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 
>> 192.168.1.1
>> -A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 
>> 192.168.1.1
>> [...]
>>
>> where 192.168.1.1 is the expected DNS server on my LAN.
>>
>> Do you have an idea why this DNAT rule is missing? (I am not sure to
>> understand why 2 different nameserver are filled in resolv.conf).
>>
>> Many thanks for your help,
>>
>> Antoine
>>
>> -- 
> 
> No idea - report it as a bug
> 

Filed a bug report:

https://github.com/QubesOS/qubes-issues/issues/2674

Antoine, you didn't mention which version of Qubes or Debian you're
using, so I assumed Qubes 3.2 and the Debian 8 TemplateVM.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYvLzEAAoJENtN07w5UDAw+rsP/iOfRnkcfKfPONVv5ZjJwIIs
7CONV6Spmp69MK9SrnytzNRu1FXyimXY7/PyDYDkidwF8V/YTIjoxxKVdkCv9nMS
O8psTge4AdJXInQCiFtH8iMb6Qb7RnJ7YJYT+rrIGfKW+ThQolW8/yFnvFExlHor
15zMIifI5jqi+khD+iNY1X81Hv2vjiDxmzD0l6VjODb6Bdu1rQnBF/i73axFDyIZ
eXGjotqW3t7eAm4OBKjZcKWcKnrDrfItqH67CDwEDco837ECYQsjX/DvB7OQcTMY
GkAlNKkXmSMq9GTAyhdMNW4qNUF00vqJeohowlU2WTM0ihDS4rN71TfHnBFi1WRJ
MC3/QCBP4NxJpehz1iYTj4i+TDL1X6JWwcIvsyEPJ7yc3shAPF8WUY/GTwUCozly
VWF2j3gC46od27iO6RkXCKdpYNZjoN1bwRRgTAh/hnosNHuu4fy8Qj0v6Rj1ktVe
JBmdFBI5x2TBuBJatq+wF2SWdEMgu/ThhXelv2sn204P7mqqNa/DgktakGPVNE7X
+kxGsgIeMJUZ3npaNNI5As/WZ+EhNm6rC3KloBqNz5V2Aoq4DRbeOqbLSmCx/4mA
577++Ll4ixOzrh0Zpw1f7uOheVhLVI+VlCUxaoHujh+8a/MSxm0UI1v5kKkGqT0f
LdVJt02d1Rn96HADm/VF
=hp+e
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0d19a0c-0e58-81a3-a58c-9771e4acf125%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall error by adding new IP

[Unman]

On Sun, Mar 05, 2017 at 10:26:22PM +0100, evo wrote:
> 
> 
> On 03/05/2017 10:22 PM, Unman wrote:
> > On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote:
> >> oh, thanks... i thought i read the post about firewall, but didnt see
> >> the limit of 3kb.
> >>
> >> so the only way to get over 3kb is to adit own rules in /rw/config?
> >> And for building the own script there, i should really understand the
> >> whole iptables thing.. puh :)
> >>
> >> sorry for the newbee-question, but what the hell is /rw??
> >>
> >>
> >>
> >> On 03/05/2017 10:03 PM, Unman wrote:
> >>> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote:
>  Hello!
> 
>  i get an error pop-up:
>  "ERROR: Firewall tab: (0,'Error')
> 
>  by adding new address.
> 
>  i have already added few addresses (about 20 or 30)
>  is there any limit or something like that??
> 
>  thanks!
> >>>
> >>> Yes:
> >>> It's documented here:
> >>> www.qubes-os.org/doc/firewall
> >>>
> >>> There's also a proposal for a work around
> >>>
> > 
> > Can you try not to top-post?
> > 
> > When you are running a TemplateBasedVM, most of the file system comes
> > from the template. This meams that many changes that you make will
> > disappear on reboot. (E.g changing config in /etc , installing programs
> > etc.)
> > Some parts of the file system, (/home /and /usr/local) DO persist in the
> > qube. They are actually stored in /rw: have a look.
> > There is also a mechanism (bind-dirs) for making other files persistent.
> > You can read about it in the docs.
> > (You can, of course, also store files in /rw/config and use the
> > rc.local mechanism to change files in the root file system on boot - e.g
> > adding entries to hosts files, custom iptables rules etc etc.)
> > 
> > unman
> > 
> 
> ok, so the /rw is on the VM and not in the dom0, understand.
> 
> do i need a special name for the iptable-rules in /rw/config?
> 
> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
> thing :)


For proxyVMs (like sys-firewall) there is a built-in mechanism you can
exploit.
Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you
have already hit that 3k limit.
Edit the file /rw/config/qubes-firewall-user-script, and add the line:
iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT

chmod +x /rw/config/qubes-firewall-user-script

This script is called whenever a new qube is attached to the proxyVM
and the relevant iptables rules are automatically rebuilt.

You can also build your own custom rulesets and store them in an
arbitraily named file called from /rw/config/qubes-firewall-user-script,
and you can, of course, do anything you like from this file, which will
be triggered when a new qube is attached: that is, you arent limited to
firewall manipulation.

unman


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170305234126.GA17750%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Attaching a single USB device to a qube (USB passthrough)

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-05 17:56, Franz wrote:
> On Sun, Mar 5, 2017 at 10:39 PM, Andrew David Wong
>  wrote:
> 
>> On 2017-03-05 14:18, Franz wrote:
>>> On Sun, Mar 5, 2017 at 5:11 PM,  wrote:
 [...] did it work with it plugged in at boot?
 
>>> did not try that wondering if it may be a security risk
>> 
>> Yes, leaving USB devices plugged in during boot can be a risk,
>> since Qubes can't isolate USB controllers during early stages of
>> the boot process. IIRC, Joanna's recommendation is to unplug all
>> USB devices before (re)booting.
>> 
>> 
> So, leaving that aside, the only remaining option would be to look
> into some log or similar information source to try to find out why
> the scanner appears in sys-usb, but not in dom0 qvm-usb. Any idea
> where to look?
> 

Sorry, no idea.

P.S. - Franz, would you mind excluding extraneous quoted material from
your replies? In particular, please exclude PGP signatures and generic
Google Groups information included as a signature.

https://www.qubes-os.org/mailing-lists/#discussion-list-guidelines

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYvMvKAAoJENtN07w5UDAwNUsP/0Kv9XmrJtGfBVhfpUAlZ+yC
W5Q5njs+d5nnUayHrhH6dAZukMgNYXzlYj+zNiIr3EAdEX6pEFeBuJpRJ57CVItf
/nXYenALSlRyiqn1GWqrob2cwuJiaC0XTVpwQLjhd6M/KSCqpj1ZiVWYc82UgF53
ZB0ztgK+ynOk03x6IIdeFlAdwlf84BpPqBuLl82N6bQvLMO01aBYcYoia73hUp2D
1sxH0PlGOLmHMB1dD7us+IOUKArJxf9FRnWeozcyWuin6SrdsJux84oFPT9BGVaO
WEGJQKFGTPkZaA2KjktmyE/7lxueoAlaiVbCCA2LZhJgB1EFO/IP8qEzB/vOboBt
X9D0k3/X8BSvzqxUX+L9NUeoey7ryorHimR8SdBE1dftOgjTttbapbfAPGl3NSi6
COlYXMTtBAoPDNBnSx1imE9yq+36cmXQExsAAW4U2x0IlJJKqMqUjo4YVohU7/u9
TuRvfRNrRXAZTMM0+kM5FZsUXMhyc5PrF5OgRlMvsbPGCRc8k16DDXLi2oQq/yTO
MJEzHaU0WZ3JOmPzR1RjxU19wX9gAggtU4PDc+cGlOTQizVTlsODoc1Y86Otdsta
/ZFR7xDc9jP2g6J5eYTfcczFmXvxAUoGqKLTZ+LZ+H+TBrnatk7+iHDY66RCDNjI
jt7fDX4K+KDGEdi/u86F
=FT4M
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c412fe7d-d163-d34f-ec64-b2677e8cb352%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall error by adding new IP

[evo]

On 03/06/2017 12:41 AM, Unman wrote:
> On Sun, Mar 05, 2017 at 10:26:22PM +0100, evo wrote:
>>
>>
>> On 03/05/2017 10:22 PM, Unman wrote:
>>> On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote:
 oh, thanks... i thought i read the post about firewall, but didnt see
 the limit of 3kb.

 so the only way to get over 3kb is to adit own rules in /rw/config?
 And for building the own script there, i should really understand the
 whole iptables thing.. puh :)

 sorry for the newbee-question, but what the hell is /rw??



 On 03/05/2017 10:03 PM, Unman wrote:
> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote:
>> Hello!
>>
>> i get an error pop-up:
>> "ERROR: Firewall tab: (0,'Error')
>>
>> by adding new address.
>>
>> i have already added few addresses (about 20 or 30)
>> is there any limit or something like that??
>>
>> thanks!
>
> Yes:
> It's documented here:
> www.qubes-os.org/doc/firewall
>
> There's also a proposal for a work around
>
>>>
>>> Can you try not to top-post?
>>>
>>> When you are running a TemplateBasedVM, most of the file system comes
>>> from the template. This meams that many changes that you make will
>>> disappear on reboot. (E.g changing config in /etc , installing programs
>>> etc.)
>>> Some parts of the file system, (/home /and /usr/local) DO persist in the
>>> qube. They are actually stored in /rw: have a look.
>>> There is also a mechanism (bind-dirs) for making other files persistent.
>>> You can read about it in the docs.
>>> (You can, of course, also store files in /rw/config and use the
>>> rc.local mechanism to change files in the root file system on boot - e.g
>>> adding entries to hosts files, custom iptables rules etc etc.)
>>>
>>> unman
>>>
>>
>> ok, so the /rw is on the VM and not in the dom0, understand.
>>
>> do i need a special name for the iptable-rules in /rw/config?
>>
>> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
>> thing :)
> 
> 
> For proxyVMs (like sys-firewall) there is a built-in mechanism you can
> exploit.
> Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you
> have already hit that 3k limit.
> Edit the file /rw/config/qubes-firewall-user-script, and add the line:
> iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT
> 
> chmod +x /rw/config/qubes-firewall-user-script
> 
> This script is called whenever a new qube is attached to the proxyVM
> and the relevant iptables rules are automatically rebuilt.
> 
> You can also build your own custom rulesets and store them in an
> arbitraily named file called from /rw/config/qubes-firewall-user-script,
> and you can, of course, do anything you like from this file, which will
> be triggered when a new qube is attached: that is, you arent limited to
> firewall manipulation.
> 
> unman
> 
> 

thanks!
so i can just write the line for one rule, without writing the whole
script for iptables.

so i can call it however i want or use the qubes-firewall-user-script
file... is it principally the same? or does qubes-firewall-user-script
replace the whole rules i already have?

the problem i have now is... i forgot to delete the "overloaded" rule
from the VM and now i can not start it. is there any other way to start
it, or to delete this overloaded 3k-file? is this file on sys-firewall
or on the VM itself?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07cbeb51-95f1-5e17-7fc0-17eaaa01f7a4%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Upgrading from Qubes 3 to 4.

[lokedhs]

Hello,

I'm looking at getting a new laptop in the next few months. I will, of course, 
run Qubes on this thing but since Qubes 4 is on the horizon I'm wondering how 
easy/difficult it will be to upgrade once it's out. Has anything been said 
about this?

Since I don't really need my new computer until June, I'm considering holding 
off and wait for Qubes 4 to come out. Has anything been said about the release 
date? Googling doesn't reveal much in the way of recent information.

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72ae1f44-22ef-464c-bc13-086e1815be85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: I can't see my webcam in dom0 with qvm-usb but have to pass to another skype-vm

[Arnulf Bultmann]

Sorry for the delay I was working abroad...

this is the output:

[user@dom0 ~]$ lsusb -tv
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/10p, 5000M
|__ Port 6: Dev 2, If 0, Class=Hub, Driver=hub/4p, 5000M
|__ Port 4: Dev 3, If 0, Class=Hub, Driver=hub/4p, 5000M
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/16p, 480M
|__ Port 10: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 1: Dev 4, If 0, Class=Mass Storage, Driver=usb-storage,
480M
|__ Port 4: Dev 6, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 2: Dev 7, If 0, Class=Audio, Driver=snd-usb-audio, 480M
|__ Port 2: Dev 7, If 1, Class=Audio, Driver=snd-usb-audio, 480M
|__ Port 2: Dev 7, If 2, Class=Video, Driver=uvcvideo, 480M
|__ Port 2: Dev 7, If 3, Class=Video, Driver=uvcvideo, 480M
|__ Port 11: Dev 3, If 0, Class=Human Interface Device,
Driver=usbhid, 1.5M
|__ Port 11: Dev 3, If 1, Class=Human Interface Device,
Driver=usbhid, 1.5M
|__ Port 12: Dev 5, If 0, Class=Human Interface Device,
Driver=usbhid, 1.5M
[user@dom0 ~]$

On 03/01/2017 05:56 PM, Grzesiek Chodzicki wrote:
> W dniu środa, 1 marca 2017 16:18:53 UTC+1 użytkownik Arnulf Bultmann napisał:
>> this is the output:
>>
>> lspci -tv
>> -[:00]-+-00.0  Intel Corporation Skylake Host Bridge/DRAM Registers
>>+-02.0  Intel Corporation HD Graphics 530
>>+-08.0  Intel Corporation Skylake Gaussian Mixture Model
>>+-14.0  Intel Corporation Sunrise Point-H USB 3.0 xHCI Controller
>>+-14.2  Intel Corporation Sunrise Point-H Thermal subsystem
>>+-16.0  Intel Corporation Sunrise Point-H CSME HECI #1
>>+-17.0  Intel Corporation Sunrise Point-H SATA controller
>> [AHCI mode]
>>+-1d.0-[01]--
>>+-1d.3-[02]00.0  Realtek Semiconductor Co., Ltd.
>> RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
>>+-1f.0  Intel Corporation Sunrise Point-H LPC Controller
>>+-1f.2  Intel Corporation Sunrise Point-H PMC
>>+-1f.3  Intel Corporation Sunrise Point-H HD Audio
>>\-1f.4  Intel Corporation Sunrise Point-H SMBus
> okay, and what does the output of lsusb -tv looks like?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df9434ba-c286-1870-5a9b-3446e742c2d5%40allmedo.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Re: fedora-24 update error: nothing provides ostree-libs(x86-64) >= 2016.14 needed by flatpak-0.8.3-3.fc24.x86_64

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-05 12:05, raahe...@gmail.com wrote:
> On Sunday, March 5, 2017 at 5:31:48 AM UTC-5, Andrew David Wong wrote:
> On 2017-03-03 15:41, raahe...@gmail.com wrote:
 On Friday, March 3, 2017 at 6:38:24 PM UTC-5, raah...@gmail.com
 wrote:
> On Friday, March 3, 2017 at 9:40:20 AM UTC-5,
> mitte...@digitrace.de wrote:
>> Hello fellow Qubes users,
>>
>> If I execute update of the fedora-24 template via the Qubes VM
>> manager, it aborts with the error
>>
>> nothing provides ostree-libs(x86-64) >= 2016.14 needed by 
>> flatpak-0.8.3-3.fc24.x86_64
>>
>> If I use sudo dnf upgrade from the terminal within fedora-24
>> the command is executed, but later executions list the problem
>> with flatpack (broken dependencies)
>>
>> of course I can remove flatpack, but I don't know whether I may
>> need it?!
>>
>> thanks
>
> I removed it haven't noticed any problems.  But I also wonder
> what it is.

 Hopefully removing it did not lessen my security?

> 
> Relevant issue: https://github.com/QubesOS/qubes-issues/issues/2656
> 
> 
> yes but is removing flatpack bad for my security? maybe I should install it 
> again?
> 

Sorry, I have no idea. I'm guessing not, since it appears to be absent
from the fedora-minimal template.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYvLtlAAoJENtN07w5UDAwkgMP/1LvO8CB7M/UntbE3XFiufmu
wz67nbrHEcXBbFHTm310rdh0XTxCvubLhwdVzNc1UQlP0Kc6KbcaJBW592EATTt1
bHfixs2eZ56VRu3P6WGADijf1VN8SkCCG6B0AEsijwWQqcK0Ejn5qdvyWYTaApmj
u1IpZ3Q2DZFUoze0H/FgwVvVT0VavqcYv6jExa22Yug/hqYrjCB/lRCLe6hTOJiP
gxVINpionWeonUpAlVuQDNGyF9+FumDf+AX7vMBR1r0DgTuslDc36/AnHx8KuMFK
nOjetkbvD5bYMPQ/k3FkCP1c+OodX9IU0SwL/I3hLCZIfE6oS+hZNHi2NeUmrB3W
xno4C58cGEsDKbPs4eZ2SlgXmM2PTekVzlU1rikjOeADz3W9off7n1Hbg6aPY3on
dWBJFmD1W9Uk5INTQNFj97rtjixmyv1U28P8Ia5/aOcUTS40rYJyOJNghfXv5phM
MvZY/buVb61M2t6MNObKLvbsRkmkAz9JOq7iLI5HwC0ZpReDWQmpXaGPUJ3WY5ot
tt/cWQ9KlZIH87gKanyANZLI2CyMf2Afk86fKzjZB2AS6o5XjXf1mcVKdSvSVGO7
kFoWb6t/M5Gm7+bsr/TJyG92Rvv5x9PC7xhQ19OmmIgsUyS4NsZ55hwuvvhS7wi6
7XNilGUhv9Nr4BJWUzAj
=TEcT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06342b3f-4670-3e20-b86e-d10f8097f78b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Attaching a single USB device to a qube (USB passthrough)

[Franz]

On Sun, Mar 5, 2017 at 10:39 PM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2017-03-05 14:18, Franz wrote:
> > On Sun, Mar 5, 2017 at 5:11 PM,  wrote:
> >> [...] did it work with it plugged in at boot?
> >>
> > did not try that wondering if it may be a security risk
>
> Yes, leaving USB devices plugged in during boot can be a risk, since
> Qubes can't isolate USB controllers during early stages of the boot
> process. IIRC, Joanna's recommendation is to unplug all USB devices
> before (re)booting.
>
>
So, leaving that aside, the only remaining option would be to look into
some log or similar information source to try to find out why the scanner
appears in sys-usb, but not in dom0 qvm-usb. Any idea where to look?

> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJYvL2rAAoJENtN07w5UDAwQj4P/2tjrBk2wK5mpE7+EEZ4o4ss
> Y/EFoEuD/331qI82tHVYvJdDz41HGXdsugZYOR8w4xuQLgDcOCbkOf1sxHk/PgGl
> MVIPqHhH/fdapsGkNM30ZjjdotKpeEMi+Bxfo1cglaOzXnvRwuAVlX0l96Aob5EE
> 3Y4MnYmUA3simV45hQGMEyfNKZ4mahNVyLTpDglmKZwFdXLYeHcOWm6H8X0FOFS2
> WXBY8UzpIFz0l9XJW9tBuEVnPIHn57m8wxrrQNXxzeaD88h17ZhyVGTbP2jTLSvm
> gAbTdZq4y+7Vl4ZeW/mi7Wz+9D406y0JNzJBBGlDXdMpmaVszQ+BxVakrKYs0yZJ
> xFWP3p84RF3UH0TYrO1YK709PKP8uLjPoRsviW8UCa9tk5hOSIAs3UMUuZhax6r7
> e9wxYW2+ZryhhlOSx2JPVhj/0zZ9w3enY7sq1RWDKlvQ3SDpsGJ6tX0L3BtGgsQv
> /LOZKCH3EY367jUUwt23bDPbllGb/7E6hXwHLFbWbOG2WZejE8NuizboL8uu2EVj
> FaEKXOUOQMWPc5lZXLEABgQInTiX0RN/GgK6fCteyTFbffR8IRqY9xe3Xy4ee5ti
> JIqRCRcvgfB6K9+JjpLwheCY1Z40DV/fA/sqX6Vh9TIG89ppoF7nMKA/8r83mQZ5
> y+YKmXvDB0Rm6hbe/cSV
> =hO24
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAFwt2iDGp6kSkFE2OD1wZi68dr77TvND%3Df--KPE09c%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.