Re: [qubes-users] customizing Firefox in disp-vms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 >> The solutions I gave above which do not involve copying the .mozilla >> directory solve this problem without increasing fingerprintability >> (except to the extent that the settings you change increase >> fingerprintability inherently). I've used salt to configure my disposable VMs and customise Firefox. The repo is available here: https://gitlab.com/prago/my-salt The ffmods section is the relevant bit. I haven't updated it recently but I think it still works. -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCYBriDxIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFjL9AD+JZwUms2ddXQISgJsxX4AlgUKp4T6Tdaw McwsjINn9NsA/iYE50c6EqL/YNk12F29DZ2RkoCf4yshYfFGvplZq0BN =zKLd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/MSd0QSv--3-2%40tutanota.de.
Re: [qubes-users] Re: using salt - how to debug?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I think the pillar files need to be in /srv/pillar/ The following example should work: /srv/pillar/fedora-version.top base: dom0: - fedora-version /srv/pillar/fedora-version.sls version: 31 Then the file needs to be linked to another directory: ln -s /srv/pillar/fedora-version.top /srv/pillar/_tops/base/fedora-version.top This can be tested with the following command: sudo qubesctl pillar.get version And can be used in salt files as you have used it -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXsMAEhIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFjP2AD/bV5z2DEkRvGtHEbv32MbRAAPN1uZDvfR MR9DzIPEKnUA/2Zfz12HtzdtA/pIEAZoDceKrNLp7iua2Lk8HyStuyUw =eySN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7djpTm--3-2%40tuta.io.
Re: [qubes-users] Help sending multiple files using qrexec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I should have mentioned that this was part of a bigger script, using qvm-copy would have required me to also pass along the qube name, so I could then cd to the correct QubesIncoming directory. Keeping it simple I went with tar: Script one on the client: tar -c $@ | cat Script two on the server: cat | tar -x Thanks for the help! > Can a hacker use the same script to transfer files from a victims pc remotely > ? > And if so, how easy is it ? This can't be used remotely, the server I mention above is another virtual machine in the same Qubes system. This is just sending files between two qubes -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXehqqxIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFi0VwD/WbakvtO9963x9VgVn6Is1Rs2TdNml0Mk dNVQ/FJccIsA/isQ3sCnd0cD7TKgYVKFSkcw4gdqOkEVP4k6PiUuaoA1 =L1d7 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LvIsq6O--3-1%40tutanota.de.
[qubes-users] Help sending multiple files using qrexec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I am trying to send mutliple files using qrexec by catting the files using the following scripts: Script one on the client: echo "$#" while [ $1 ]; do echo $(wc -l $1) cat $1 shift done Script two on the server: read NUMFILES READFILES=0 while [ $READFILES -lt $NUMFILES ]; do read CATFILESIZE CATFILENAME head -n $CATFILESIZE > "$CATFILENAME" ((READFILES++)) done This successfully sends the first file, but not the second, can anyone help with this or should I be using qvm-copy? Thanks for reading -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXecNwhIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFiw0gD/TPKyOcTLN94aJYJd8oaf+4ciHy1jKZ9W XBlIif0fJHMA/jy3LS32Ed21PcbACGz0RZIIGYGFoSptsyLQM5SH9fNd =F4IQ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LvDZBfL--3-1%40tutanota.de.
Re: [qubes-users] Customizing Firefox in dispVMs (brand new profile on every dispVM startup)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 t 19, 2019, 00:05 by qubes-users@googlegroups.com: Problem === Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs. See e.g. [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1372288) and possibly many other bugs. (Partial) solution === On every DispVM startup, we start without a Firefox profile, so a fresh one with random ID is created. However, the default settings are not very privacy friendly (and annoying), so we need to change some and we also need to auto install some extensions. (e.g. ad blocker) We do this by deploying a Firefox `policies.json` file into `/usr/lib/firefox-esr/distribution/policies.json` _before_ FF starts, so it pulls these settings onto itself at startup. We use the Qubes `/rw/config/rc.local` script to deploy the FF policy, as it runs immediately after VM startup. Limitations === There are still plenty opportunities to fingerprint the firefox+OS+HW combo, e.g. the classic [EFF panopticlick](https://panopticlick.eff.org/) (see fingerprint section after test) or the more advanced leak tests at [browserleaks](https://browserleaks.com). For a whole list of leak test sites check this GitHub page of [ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-A---Test-Sites) No bookmarks (perhaps also deployable by script), no history. Qubes setup === Docs for the setup: - [mozilla/policy-templates](https://github.com/mozilla/policy-templates/blob/master/README.md) - [Qubes: running script on VM startup](https://www.qubes-os.org/doc/config-files/) In a TemplateVM of DispVMs (DVM Template) put your settings in `/rw/config/firefox_policies.json`, e.g.: ... and set up `/rw/config/rc.local` to deploy the policy at VM startup: ... Further ideas, TODO === - Install more extensions: NoScript or uMatrix, etc. - How to setup extensions, e.g. add a list to uBlock? - Perhaps use Debian central `user.js`: `/etc/firefox-esr/firefox-esr.js` fill it with `https://github.com/ghacksuserjs/ghacks-user.js` or `https://github.com/pyllyukko/user.js` I've created a salt for my set up, it also includes the further ideas section with a few hacks to get everything to work properly. I install the add-ons from the debian repos and make modifications to the source of umatrix to allow changing the default rules. This isn't necessary on ublock as there is a way to deploy custom settings from a file. I've taken the ghacks user.js file as my starting point and added my customisations into the user-overrides file. I also delete the .mozilla folder in the home folder at start up. The repo is available here: https://gitlab.com/prago/my-salt -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXctfWBIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFg0dgD/RTthgBj2ToJEy1Cgi9mvYc7vyc6UmaEk trvfWgzMD9IA/1XZ2Gj1aO6UJmm82UbBorQ5yK83zG/mtM4GH+ln+yCz =tuEw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LtXQU3y--3-1%40tutanota.de.
Re: [qubes-users] How to get Ledger Nano S connected to VM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > How do I uncover the Nano S in Qubes? Hi, after unlocking the ledger it shows up in qvm-usb for me. I think this may be something to do with the way you have the USBs configured, so it's not specifically a ledger problem. -BEGIN PGP SIGNATURE- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXSPV0RIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFgTlAEA+fn1CsG5GDEl18QwEEU1FbJT5Mxzhb85 q1CU2zKQmYwA/3pMkr70piOWOlxRH5OzxGppVgy5Cir9pCYeY8cwjI/s =VxgA -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LjIz5jJ--3-1%40tuta.io. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Question on the new format of rules for Qubes mirage firewall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
>> Hi,
>> With the old format of rules for the mirage firewall I had the following
>> setup:
>> ...
>> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
>>
>> let allowed_to_git = List.map Ipaddr.V4.of_string_exn
>> [ "10.137.0.20" ;
>> "10.137.0.21"
>> ]
>>
>>
>> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
>>
>> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
>>
>> let from_client = function
>> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e
>> local_subnet
>> && c#other_ip = mgmt_local -> `NAT
>> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
>> && List.mem c#other_ip allowed_to_git -> `NAT
>> ...
>>
>> Is it possible to get the same functionality with the new rules using the
>> prefix
>> and the lists of addresses? It would also be useful to be able to block
>> prefixes
>> as well if that's possible.
> There are two ways to get that working. The quick way is to get the src/dst
> IP addresses from the `packet` field instead, e.g.
>
> let externals = [
> "192.168.1.101", `Git;
> ]
>
> ...
>
> | { src = `Client _;
> dst = `External `Git;
> packet = `IPv4 ({Ipv4_packet.src}, _)}
> when List.mem src allowed_to_git -> `NAT
>
> Another solution would be to edit firewall.ml to allow specifying subnets,
> not just hosts. That's a bit more work, though.
Many thanks for your help with this and for the project!
I went with the quick way for now.
I now have the following rules if anyone else finds them useful:
...
let clients = [
"10.137.0.22", `MgmtLocal;
]
let externals = [
"192.168.1.101", `Git;
]
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20";
"10.137.0.21"
]
let local_subnet = Ipaddr.V4.Prefix.of_string_exn "192.168.0.0/16"
let from_client (...
match info with
| { src = `Client `MgmtLocal; dst = `External _; packet = `IPv4
({Ipv4_packet.dst}, _) }
when Ipaddr.V4.Prefix.mem dst local_subnet -> `NAT
| {src = `Client _; dst = `External `Git; packet = `IPv4
({Ipv4_packet.src}, _) }
when List.mem src allowed_to_git -> `NAT
...
This all compiled and seems to be working well.
Thanks again
-BEGIN PGP SIGNATURE-
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXSPR6RIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFgMagD+I396tJHqYi94dCOT1hDanLHojr0NIJsz
nXqKCzr3CfgA/3N0UcEPddAyuW3TlXlui74CYr9MHQxTUCR3I1cl5yXx
=637A
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/LjIvTlK--3-1%40tutanota.de.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Question on the new format of rules for Qubes mirage firewall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
With the old format of rules for the mirage firewall I had the following setup:
...
let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20" ;
"10.137.0.21"
]
let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
let from_client = function
| { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e local_subnet
&& c#other_ip = mgmt_local -> `NAT
| { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
&& List.mem c#other_ip allowed_to_git -> `NAT
...
Is it possible to get the same functionality with the new rules using the prefix
and the lists of addresses? It would also be useful to be able to block prefixes
as well if that's possible.
Thanks for your help
-BEGIN PGP SIGNATURE-
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXR6YDBIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFhrWwD9HZeHlNTUmw0R2gjZHqkTaqJ5rZYSv7rb
l4QdI0Y2POoA/1h50GNz+LL/XXlGJyfwGjSq+kKpbX8D1mqiJ1gJXUXw
=rWJK
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/LizX-vj--3-1%40tutanota.de.
For more options, visit https://groups.google.com/d/optout.
